Missing validation for ```totalUsdNeeded``` in ```LibUnripe::getPenalizedUnderlying``` can lead to the ```urBean``` chopping block
Summary
The LibUnripe::getPenalizedUnderlying() calculates the penalized amount of Ripe Tokens corresponding to the amount of Unripe Tokens that are chopped, according to the current chop rate into the protocol. When the Beanstalk is fully recapitalized, the totalUsdNeeded variable becomes 0. In the possible scenario where all urLP is chopped before urBeans, the division by zero error causes the transaction to revert preventing users from chopping urBean into Ripe Bean.
Vulnerability Details
Impact
When the Beanstalk is fully recapitalized the urToken holders should be able to redeem the ripe underlying assets at a 1:1 rate. This can't happen in the scenario where all urLP is chopped before urBeans.
Considering the scenario where the recapitalization is completed and all urLP is chopped before urBeans: the totalUsdNeeded variable is 0 (the LibFertilizer.getTotalRecapDollarsNeeded() return 0 because C.unripeLP().totalSupply() is 0).
The LibUnripe::getPenalizedUnderlying()will perform a divion by zero error causing the transaction to revert preventing users from chopping urBean into Ripe Bean. The urBean chop into Ripe Bean can't happen and the funds are stuck.
Impact: high because funds are directly at risk.
Likelihood: low because all urLP should be chopped before urBeans.
Tools Used
Manual review
Recommendations
To handle this scenario, appropriate checks should be added to ensure that in the case of full recapitalization the users can redeem at the new chop rate also in the case where all urLP is chopped before urBeans.
Lead Judging Commences
Unripe Bean Chop DoS
Unripe Bean Chop DoS
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.