Missing Access Control (Withdraw_Admin_Fees)
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Contract fails to deliver promised returns, but doesn't lose value
Anyone is able to call the
withdraw_admin_fees() it doesnot check the caller is
Add this line of code
assert msg.sender == self.admin
Proof of concept
1. Visit here
https://etherscan.io/address/0xc9c32cd16bf7efb85ff14e0c8603cc90f6f2ee49#code 2. check the function
def withdraw_admin_fees(): factory: address = self.factory # transfer coin 0 to Factory and call `convert_fees` to swap it for coin 1 coin: address = self.coins amount: uint256 = ERC20(coin).balanceOf(self) - self.balances if amount > 0: ERC20(coin).transfer(factory, amount) Factory(factory).convert_fees() # transfer coin 1 to the receiver coin = self.coins amount = ERC20(coin).balanceOf(self) - self.balances if amount > 0: receiver: address = Factory(factory).fee_receiver(BASE_POOL) ERC20(coin).transfer(receiver, amount)
- It lacks the check an admin is caller address.
This submission is related to an out of scope asset: the BEAN:3CRV Curve LP token. Curve pools are not part of Beanstalk and thus not included in the Immunefi bug bounty program. Curve pools are also non-upgradable.
The Beanstalk DAO acknowledges the risk of using Curve and has transparently communicated that here:
Due to these reasons, this report is not eligible for a reward.