📄

Report #12785

Report Date
October 24, 2022

Missing pause/unpause functionality in contracts system with POC

Report Info

Report ID

#12785

Target

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Bug Description

A clear and concise description of the bug.

Pause/unpause functionality is realized only in SeasonFacet, but in can be realized in other facets, such as FieldFacet, CurveFacet, FundraiserFacet, SiloFacet

In case a hack is occuring or an exploit is discovered, the team should be able to pause contract until the necessary changes are made to the system.

Because an attack would probably span a number of blocks, a method for pausing the contract would be able to interrupt any such attack if discovered.

To use a thorchain example again, the team behind thorchain noticed an attack was going to occur well before the system transferred funds to the hacker. However, they were not able to shut the system down fast enough. (According to the incidence report here https://github.com/HalbornSecurity/PublicReports/blob/master/Incident%20Reports/Thorchain_Incident_Analysis_July_23_2021.pdf).

Impact

Dev Team from Beanstalk would have ability to stop attack or exploit, if it happens and reduce attack or exploit cost

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Recommendation

add more pause() and unpause() functions in other facets

Proof of concept

add more pause() and unpause() functions in other facets

BIC Response

This is not a security bug report because it is intended behavior that pause() only prevents the sunrise() function from being called. In cases where functions need to be removed from Beanstalk due to a vulnerability, the Beanstalk Community Multisig that custodies ownership of the contract can already do so.

Due to these reasons, we are closing the submission and no reward will be issued.