Lack of Buyer's Bean Balance Check in Listing.sol
Summary
The Listing.sol contract in the Beanstalk project lacks a check of the buyer's Bean balance before executing a Pod purchase. This could lead to situations where the buyer does not have enough Beans to complete the transaction, causing the transaction to revert and wasting gas fees.
Vulnerability Details
The Listing.sol contract has a _fillListing function to handle Pod purchases. However, this function only checks if the amount of Beans paid is sufficient to buy the desired amount of Pods, without checking if the buyer (filler) actually owns that amount of Beans.
Impact
If the buyer doesn't have enough Beans, the transaction will be reverted, wasting gas fees for both the buyer and the seller.
Tools Used
Manual
Recommendations
Add a step to check the filler's Bean balance before performing the Pod transfer.
Lead Judging Commences
Informational/Gas
Invalid as per docs https://docs.codehawks.com/hawks-auditors/how-to-determine-a-finding-validity
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.