📄

Report #12580

Report Date
October 20, 2022

Missing Access Control (Withdraw_Admin_Fees)

Report Info

Report ID

#12580

Target

Report type

Smart Contract

Impacts

  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Contract fails to deliver promised returns, but doesn't lose value

Has PoC?

Yes

Bug Descrption

Anyone is able to call the withdraw_admin_fees() it doesnot check the caller is admin

Fix

Add this line of code

assert msg.sender == self.admin

Proof of concept

1. Visit here

def withdraw_admin_fees():
    factory: address = self.factory

    # transfer coin 0 to Factory and call `convert_fees` to swap it for coin 1
    coin: address = self.coins[0]
    amount: uint256 = ERC20(coin).balanceOf(self) - self.balances[0]
    if amount > 0:
        ERC20(coin).transfer(factory, amount)
        Factory(factory).convert_fees()

    # transfer coin 1 to the receiver
    coin = self.coins[1]
    amount = ERC20(coin).balanceOf(self) - self.balances[1]
    if amount > 0:
        receiver: address = Factory(factory).fee_receiver(BASE_POOL)
        ERC20(coin).transfer(receiver, amount)
  1. It lacks the check an admin is caller address.

BIC Response

This submission is related to an out of scope asset: the BEAN:3CRV Curve LP token. Curve pools are not part of Beanstalk and thus not included in the Immunefi bug bounty program. Curve pools are also non-upgradable.

The Beanstalk DAO acknowledges the risk of using Curve and has transparently communicated that here:

Due to these reasons, this report is not eligible for a reward.