Beanstalk Part 1

Summary

The UnwrapAndSendETH contract allows anyone to send WETH to it and subsequently withdraw and transfer the received funds to a specified address through the unwrapAndSendETH function. This design presents a vulnerability to frontrunning, enabling an attacker to preemptively withdraw and transfer funds sent by another user.

Even though UnwrapAndSendETH is a junction contract in relation to the pipeline contract. Junctions are helper contracts that can be used in a pipeline call to unlock greater functionality. However there are no clear docs or instructions which stops the users from using this contract in isolation.

Vulnerability Details

The contract utilizes the receive() external payable {} function to accept WETH from any address. The unwrapAndSendETH function then facilitates the withdrawal and transfer of WETH to a specified address without adequate validation of the caller's identity.

Impact

This vulnerability allows an attacker to exploit the contract by front-running a legitimate user's attempt to withdraw and transfer funds. Consequently, the attacker gains control over the funds intended for the original sender.

PoC

1. Bob calls unwrapAndSendEth & sends WETH to the contract.

2. Alice notices the WETH in the contract.

3. Alice front-runs and calls unwrapAndSendEth first, withdrawing and transferring all the funds to herself.

4. Bob loses the funds he sent to the contract.

This sequence of actions allows an attacker (in this case, Alice) to exploit the contract and transfer funds intended for another user (Bob) to their own address.

Recommendations

Implement Access Control: Introduce access control mechanisms to restrict the ability to call the unwrapAndSendETH function. Only the original sender or authorized addresses should be allowed to withdraw and transfer funds.