Beanstalk Part 1

Beanstalk

DeFiHardhatOracleProxyUpdates

100,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

Possible Front Running attack in `unwrapAndSendETH`

0xbeastboy

Summary

UnwrapAndSendETH contract allows for the withdrawal of WETH tokens for any address calling the unwrapAndSendETH function. This design decision poses a potential risk if a user withdraws their balance to the contract and then another person front-runs it, taking advantage of the already withdrawn ETH balance.

Vulnerability Details

See the following code:

contract UnwrapAndSendETH {

receive() external payable {}

address public immutable WETH;

constructor(address wethAddress) {

WETH = wethAddress;

}

/// @notice Unwrap WETH and send ETH to the specified address

/// @dev Make sure to load WETH into this contract before calling this function

function unwrapAndSendETH(address to) external {

uint256 wethBalance = IWETH(WETH).balanceOf(address(this));

require(wethBalance > 0, "Insufficient WETH");

IWETH(WETH).withdraw(wethBalance);

(bool success, ) = to.call{value: address(this).balance}(

new bytes(0)

);

require(success, "Eth transfer Failed.");

}

Impact

Allowing unrestricted withdrawal of WETH tokens can lead to potential front-running attacks, where malicious actors exploit the predictable behavior of transactions to their advantage. In this scenario, a user may initiate a transaction to withdraw their WETH balance to the contract, and before this transaction is confirmed, another malicious actor observes the transaction in the mempool and quickly initiates a transaction to withdraw the already withdrawn ETH balance, effectively stealing the funds.

Tools Used

Manual Review

Recommendations

To mitigate the risk of front-running attacks and ensure the security of the contract, consider implementing the following solutions:

Limit the ability to withdraw WETH tokens to only specific addresses or authorized users. This could involve implementing access control mechanisms such as only allowing withdrawal to predefined whitelisted addresses.

Implement time-lock mechanisms to delay the withdrawal of ETH funds after the WETH tokens are unwrapped. By introducing a delay between unwrapping WETH and sending ETH, the contract can prevent immediate front-running attacks by allowing time for transactions to be processed.

Ensure that the contract is protected against re-entrancy attacks by following best practices such as using the checks-effects-interactions pattern and properly handling state changes before interacting with external contracts.

Updates

Lead Judging Commences

giovannidisiena Lead Judge over 1 year ago

Submission Judgement Published

Invalidated

Reason: Design choice

Assigned finding tags:

Pipeline access control

Prize pool breakdown

Total prize

100,000 USDC

nSLOC

5,776

17 USDC / LOC

High Medium

95,000 USDC

Low

5,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.