Beanstalk Part 2

Summary

The _getMintFertilizerOut function calculates the amount of fertilizer that can be obtained with a given input of tokens, such as Barn Raise tokens, based on their USD price. This function is part of the functionality for minting fertilizer in the contract. Now in the comments it is mentioned that this function returns the amount of Fertilizer that can be purchased with tokenAmountIn Barn Raise tokens.

• Can be used to help calculate minFertilizerOut in mintFertilizer.

• tokenAmountIn has 18 decimals, getEthUsdPrice() has 6 decimals and fertilizerAmountOut has 0 decimals.

Vulnerability Details

As described in the comments fertilizerAmountOut is expected to have 0 decimals but in the calculations there isn't anything done for it. The division operation does not change the decimal precision of the input value tokenAmountIn, and it directly divides tokenAmountIn by the USD price obtained from LibUsdOracle.getUsdPrice(barnRaiseToken).

Therefore, the resulting fertilizerAmountOut will retain the same number of decimals as tokenAmountIn, which is 18 decimals.

Impact

There is a precision loss which will result in miscalculation of fertilizerAmountOut. This will cause loss of funds and tokens.

Tools Used

Manual Review

Recommendations

The constant FERTILIZER_AMOUNT_PRECISION is declared in the code, but it's not used anywhere in the provided snippets. Its purpose seems to be related to defining a precision constant for fertilizer amounts.

Multiply tokenAmountIn by FERTILIZER_AMOUNT_PRECISION before division by the USD price. This ensures that the resulting fertilizerAmountOut adheres to the precision specified by FERTILIZER_AMOUNT_PRECISION.