Beanstalk Part 2

Summary

The issue in the __update function is that it mistakenly compares bpf with ids[i], which are the fertilizer IDs, instead of comparing bpf with the amount of beans associated with each ID. The bpf variable, on the other hand, represents the Beans per Fertilizer value. This comparison does not make sense in the context of the function's logic.

Vulnerability Details

Here's an example scenario to illustrate the impact:

Suppose we have a user Alice who has fertilized two different types of crops with IDs 1001 and 1002. Let's say the current bpf (Beans per Fertilizer) value is 100. Now, suppose Alice has 10 units of crop with ID 1001 and 5 units of crop with ID 1002.

If __update function incorrectly compares bpf (100) with ids[i] (1001 and 1002), it would not accurately calculate the correct amount of beans to be claimed by Alice for each crop type.

For instance, if ids[i] is 1001, and Alice last claimed beans when the bpf value was 90, then the correct calculation should be (100 - 90) * 10 = 100 beans. However, if ids[i] is incorrectly compared with bpf, it might result in erroneous calculations, leading to incorrect payment of fertilizer.

As a result, Alice may receive incorrect payments for the fertilized crops, causing financial discrepancies and potentially undermining the integrity of the system's incentive mechanisms.

Therefore, ensuring that the comparison is made between bpf and the amount associated with each fertilizer ID is crucial for accurate calculation and fair distribution of fertilizer payments to users like Alice.

See the following code:

Impact

This issue could lead to incorrect calculations of the beans to be claimed by the account, resulting in incorrect payments of fertilizer.

Tools Used

Manual Review

Recommendations

To fix this issue, the comparison should be made between bpf and the amount associated with each fertilizer ID for the account.