Beanstalk: The Finale

Summary

In the beginning of season it executes Flood concept if there is positive deltaB in Soppable Wells and Bean price > 1 USD
https://docs.bean.money/almanac/peg-maintenance/flood

Protocol mints Beans in the amount of positive deltaB and swaps into Well. As a result Bean shortage in Wells is resolved.

Issue is that it mints and swaps incorrect amount of Beans. After such swap it crates excess of Beans (previously was shortage), however it is expected to return price to its peg.

Vulnerability Details

Main logic is in LibFlood.sopWell(). As you can see it mints the amount of positive deltaB and swaps it, then directs amountOut to Field module:

Let's imagine following scenario:

1. Well USDC / Bean. Reserves are: 550e6 USDC, 500e6 Bean.

2. deltaB is positive 50e6, it's obvious to calculate.

3. sopWell() mints 50e6 Bean and swaps into USDC.

Let's calculate reserves after such swap. Constant product formula is used in Wells, so usdcReserveAfterSwap = usdcReserveBefore * beanReserveBefore / beanReserveAfter = 550e6 USDC * 500e6 Bean / 550e6 Bean = 500e6 UDSC.

So in the end of Flood reserves are 550e6 Bean and 500e6 USDC. It became unbalanced to the other side.

Correct amount to mint and swap is 24.e6 Bean into 25.6e6 USDC.

Impact

Flood logic imbalances bean price to the other side instead of returning to 1 USD. Flood which is one o fcore peg mechanisms of Beanstalk works incorrectly.

Tools Used

Manual Review

Recommendations

Develop the correct way to calculate amount of Beans to mint and swap during Flood.