Report Date
October 20, 2022
Missing Access Control (Withdraw_Admin_Fees)
‣
Report ID
#12580
Target
Report type
Smart Contract
Impacts
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Contract fails to deliver promised returns, but doesn't lose value
Has PoC?
Yes
Bug Descrption
Anyone is able to call the withdraw_admin_fees() it doesnot check the caller is admin
Fix
Add this line of code
assert msg.sender == self.adminProof of concept
1. Visit here
https://etherscan.io/address/0xc9c32cd16bf7efb85ff14e0c8603cc90f6f2ee49#code 2. check the function
def withdraw_admin_fees():
factory: address = self.factory
# transfer coin 0 to Factory and call `convert_fees` to swap it for coin 1
coin: address = self.coins[0]
amount: uint256 = ERC20(coin).balanceOf(self) - self.balances[0]
if amount > 0:
ERC20(coin).transfer(factory, amount)
Factory(factory).convert_fees()
# transfer coin 1 to the receiver
coin = self.coins[1]
amount = ERC20(coin).balanceOf(self) - self.balances[1]
if amount > 0:
receiver: address = Factory(factory).fee_receiver(BASE_POOL)
ERC20(coin).transfer(receiver, amount)- It lacks the check an admin is caller address.
BIC Response
This submission is related to an out of scope asset: the BEAN:3CRV Curve LP token. Curve pools are not part of Beanstalk and thus not included in the Immunefi bug bounty program. Curve pools are also non-upgradable.
The Beanstalk DAO acknowledges the risk of using Curve and has transparently communicated that here:
Due to these reasons, this report is not eligible for a reward.