📄

Report #12473

Report Date
October 16, 2022
Status
Closed
Payout

Reputation Risks With Contractowner

Report Info

Report ID

#12473

Target

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Bug Description

DiamondCutFacet WhitelistFacet PauseFacet FertilizerFacet

contractOwner has complete freedom to change any functionality and withdraw/rug all assets. Even if well intended the project could still be called out resulting in a damaged reputation like in this example. https://twitter.com/RugDocIO/status/1411732108029181960

Impact

Recommend implementing extra safeguards such as:

Limiting the time period where sensitive functions can be used. Having a waiting period before pushed update is executed. Using a multisig to mitigate single point of failure in case contractOwner private key leaks.

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Proof of concept

Recommend implementing extra safeguards such as:

Limiting the time period where sensitive functions can be used. Having a waiting period before pushed update is executed. Using a multisig to mitigate single point of failure in case contractOwner private key leaks.

BIC Response

This is not a security bug report because it is incorrect that address 0x925753106fcdb6d2f30c3db295328a0a1c5fd1d1 is the contract owner, it is a 5-of-9 multisig called the Beanstalk Community Multisig. The powers of this multisig are well documented and approved by the Beanstalk DAO. Docs here: https://docs.bean.money/governance/beanstalk/bcm-process

Due to these reasons, we are closing the submission and no reward will be issued.