# Access Control Bug in Beluga Protocol

By [sayan](https://paragraph.com/@sayan-2) · 2023-07-23

---

Finding Details
---------------

The `emergencyWithdraw` function in 2 of their contracts had `internal` visibility ,

which would mean that no one could’ve called the `emergencyWithdraw` function during the situation of emergency.

![](https://storage.googleapis.com/papyrus_images/d7f9e9dc40ac93fa28e9023be19e5ca61e6741e1805abb56d0aa2574ae23b960.png)

Response
--------

I submitted 2 reports(as low severity findings) on June 16 and the Protocol closed one after a week saying this

![](https://storage.googleapis.com/papyrus_images/d9fbabf5455b64858d448dbbb79e8c7fac9955bc16453b51cb7091e3d2849c7e.png)

was kinda unsatisfied with their reasoning,so I asked for Immunefi’s mitigation and they said it was “lack of functionality” rather than a “vulnerability” .

![](https://storage.googleapis.com/papyrus_images/0c1f2b6fd64fe750c790e3b875a258c7a88c0d56d971acdafe6eedb43e47f6d7.png)

Beluga closed my another report after 27 days saying that it was “out of scope”(which ,as per my understanding ,was in fact in scope).

On July 22 Immunefi informed that the Protocol is removed from Immunefi because it ghosted whitehats and the Immunefi team.

![](https://storage.googleapis.com/papyrus_images/35ffeb2379093632e926413e74ece2d2f02923214b66d20a979e82da39bc1295.png)

---

*Originally published on [sayan](https://paragraph.com/@sayan-2/access-control-bug-in-beluga-protocol)*