Multiple functions are present that send Ether to arbitrary destinations resulting in loss of unauthorized funds
Summary
Unprotected calls to functions sending Ether to an arbitrary address.
Vulnerability Details
LibEth::refundEth() (contracts/beanstalk/migration/L1Libraries/LibEth.sol#16-22) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: address(this).balance}(new bytes(0)) (contracts/beanstalk/migration/L1Libraries/LibEth.sol#19)
LibWeth::unwrap(uint256,LibTransfer.From) (contracts/beanstalk/migration/L1Libraries/LibWeth.sol#23-28) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: amount}(new bytes(0)) (contracts/beanstalk/migration/L1Libraries/LibWeth.sol#26)
LibEth::refundEth() (contracts/libraries/Token/LibEth.sol#15-21) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: address(this).balance}(new bytes(0)) (contracts/libraries/Token/LibEth.sol#18)
LibWeth::unwrap(uint256,LibTransfer.From) (contracts/libraries/Token/LibWeth.sol#23-28) sends eth to arbitrary user
Dangerous calls:
- (success,None) = msg.sender.call{value: amount}(new bytes(0)) (contracts/libraries/Token/LibWeth.sol#26)
Impact
The call to msg.sender could fail or be manipulated.
Tools Used
Slither
Recommendations
Ensure that an arbitrary user cannot withdraw unauthorized funds by using the proper handling of the call result.
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.