Beanstalk: The Finale
Beanstalk
DeFiHardhatFoundry
250,000 USDC
View results
Previous Next
Submission Details
Severity: medium
Invalid

Incomplete Approval Checks in Pod Order and Listing Creation Allow Potential Unauthorized Commitments

lordofterra

Summary

The MarketplaceFacet contract implements an approval system for pod transfers, which is a critical security feature. However, this approval check is not explicitly performed in the order and listing creation processes. This could lead to a situation where a user creates an order or listing for pods they don't have the right to commit.

Vulnerability Details

In the _createPodOrder function:

function _createPodOrder(
PodOrder calldata podOrder,
uint256 beanAmount
) internal returns (bytes32 id) {
require(beanAmount > 0, "Marketplace: Order amount must be > 0.");
require(podOrder.pricePerPod > 0, "Marketplace: Pod price must be greater than 0.");
id = _getOrderId(podOrder);
if (s.sys.podOrders[id] > 0) _cancelPodOrder(podOrder, LibTransfer.To.INTERNAL);
s.sys.podOrders[id] = beanAmount;
// ... emit event ...
}

Similarly, in the _createPodListing function:

function _createPodListing(PodListing calldata podListing) internal {
uint256 plotSize = s.accts[podListing.lister].fields[podListing.fieldId].plots[
podListing.index
];
require(podListing.podAmount > 0, "Marketplace: Invalid Amount.");
require(
plotSize >= (podListing.start + podListing.podAmount),
"Marketplace: Invalid Plot."
);
// ... other checks ...
s.sys.podListings[podListing.fieldId][podListing.index] = _hashListing(podListing);
// ... emit event ...
}

While these functions do perform some checks, they don't explicitly verify that the user has the necessary approvals or ownership of the pods they're committing to an order or listing.

Proof of Concept

1: Alice owns 1000 pods in Plot 1

2: Alice approves Bob to manage 500 of her pods.

3: Bob, without owning any pods himself, creates a pod order or listing for 1000 pods in plot 1.

4: The contract allows this creation, despite Bob only having approval for 500 pods.

Impact

This oversight will potentially allow users to create orders or listings for pods they don't own or haven't been approved to manage, leading to unauthorized commitments and potential market manipulation.

Tools Used

Manual review

Recommendations

1: Implement explicit approval checks in _createPodOrder and _createPodListing functions.

2: Add a check to ensure the user creating the order or listing either owns the pods or has sufficient approval.

3: In the MarketplaceFacet contract, add pre-checks before calling the internal create functions:

Updates

Lead Judging Commences

inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Appeal created

lordofterra Submitter
about 1 year ago
inallhonesty Lead Judge
about 1 year ago
inallhonesty Lead Judge about 1 year ago
Submission Judgement Published
Invalidated
Reason: Incorrect statement

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.