Vesting beneficiary replace → silently drain stream

§ Context

Assumed environment: target deployed a custom vesting / streaming contract (Sablier-like). Either an unguarded setBeneficiary or a delegatecall path lets an external caller set arbitrary beneficiaries.

§ Steps

1. 01
   Claim the stream to attacker addressExfiltration

   T1041— Exfiltration Over C2 Channel
2. 02
   Wait for vesting unlockInitial Access

   T1078— Valid Accounts
3. 03
   Audit vesting contract sourceReconnaissance

   W-RECON-FINGERPRINT— Tech Stack Fingerprinting
4. 04
   Call setBeneficiary on victim's scheduleImpact

   DEFI-VESTING-DRAIN— Vesting Contract Drain
5. 05
   Spot missing access controlPrivilege Escalation

   DEFI-VESTING-PERM— Vesting Beneficiary Replace

§ References

• T1041Exfiltration Over C2 Channel
• T1078Valid Accounts

§ Frequently asked

What is the "Vesting beneficiary replace → silently drain stream" attack path?

Bug in a custom vesting contract allows anyone to call setBeneficiary on existing schedules. Replace beneficiary with attacker address; legitimate token stream now flows to attacker until released funds are noticed. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Claim the stream to attacker address (T1041) — a exfiltration primitive. Assumed environment: target deployed a custom vesting / streaming contract (Sablier-like).

What is the final impact of this kill-chain?

The final step lands on Spot missing access control (DEFI-VESTING-PERM), which falls under Privilege Escalation. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Padding oracle → forge admin session cookie

  App encrypts session cookies with AES-CBC and reveals padding-validity via a 500/200 differential. Decrypt the cookie, forge an admin cookie, log in without credentials.

• Shared techniques3

  Cross-chain bridge validator-set bypass → mint wrapped tokens

  Bridge's signature-set check is off-by-one (Nomad-class) or accepts a zero address (Ronin-class). Mint wrapped tokens on the destination chain without locking on the source.

• Shared techniques3

  Reentrancy → drain vault contract

  Vulnerable withdraw() sends ETH before updating balance. Attacker contract re-enters via fallback() until the vault is empty — the canonical DAO-2016 pattern.

• Shared techniques2

  Origin IP bypass → direct attack on backend

  Find the real origin IP behind the CDN via CT logs / DNS history / SSL fingerprinting. Connect directly to origin, bypassing WAF + caching + rate-limit; run noisy attacks (SQLi / RCE) that the edge would have blocked.

• Shared techniques2

  Apple Pay Express Transit relay → high-value contactless fraud

  Specific configuration (Express Transit + Visa) allowed contactless transactions over £1k without unlock or per-tx auth. Two devices relayed the wallet from victim's pocket to a real terminal.

• Shared techniques2

  Mass SMS phish → Okta-style portal → SaaS sprawl (0ktapus)

  Wide SMS phishing campaign targeting employees of ~130 organisations with a single phishlet that captures Okta credentials + push approval. Mass automated logins to Twilio, MailChimp, DoorDash et al.