Summary

The getPenalizedUnderlying function has an issue where the calculation of redeemable Ripe Tokens can exceed the actual underlying amount available. This occurs due to the use of a ratio that can "potentially" exceed 1 when s.recapitalized is greater than totalUsdNeeded.

Impact

If not addressed, this issue could lead to scenarios where users are able to redeem more Ripe Tokens than should logically be available

Proof of Concept

First let's look at the getPenalizedUnderlying function:

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibUnripe.sol#L166-L167

Here, redeem can potentially exceed underlyingAmount if s.recapitalized is greater than totalUsdNeeded. The current safeguard:

https://github.com/Cyfrin/2024-05-Beanstalk-3/blob/662d26f12ee219ee92dc485c06e01a4cb5ee8dfb/protocol/contracts/libraries/LibUnripe.sol#L170

acts as a temporary fix but does not address the root cause of the issue. The formula should inherently ensure that redeem does not exceed underlyingAmount without requiring a conditional check.

Tools Used

Manual review

Recommended Mitigation Steps:

A more appropriate would involve adjusting the calculation to ensure that the ratio of s.recapitalized to totalUsdNeeded does not exceed 1 before applying it to the underlyingAmount. This can be done by capping the ratio at 1:

This adjustment ensures that the redeemable amount is always within logical bounds and reflects the actual recapitalization progress, preventing any potential overflow or logic errors in token redemption calculations.