Beanstalk: The Finale

Beanstalk

DeFiHardhatFoundry

250,000 USDC

View results

Previous Next

Submission Details

Severity: low

Invalid

pod listings with small pod prices are at risk of loosing more pods than amount paid

ashutoshsb

Vulnerability Details

Inside contract Listing.sol while filling order due to incorrect rounding in function _fillListing more pods can be bought by giving price of lesser pods.

e.g - Suppose there is an order listing with 980 pods with price of 0.001/pod (orders with such small prices are common and data available on beanstalk site) now a person while filling listing even pay only price of 1 pod (0.001) can still get entire 980 pods.

POC

In Below test, A user is selling 1000 pods with price 0.005/ pod and User B can partiall fill pod listing by paying price of pod amount equal to 800 pods but can still get entire 1000 pods.

describe("Fill listing", async function () {

beforeEach(async function () {

this.podListing = PodListing(user.address, 0, 0, 0, 1000, 5000, 0, 0, EXTERNAL);

await mockBeanstalk.connect(user).createPodListing(this.podListing);

this.amountBeansBuyingWith = 4;

this.userBeanBalance = await bean.balanceOf(user.address);

this.user2BeanBalance = await bean.balanceOf(user2.address);

this.result = await mockBeanstalk

.connect(user2)

.fillPodListing(this.podListing, this.amountBeansBuyingWith, EXTERNAL);

this.user2BeanBalanceAfter = await bean.balanceOf(user2.address);

this.userBeanBalanceAfter = await bean.balanceOf(user.address);

});

it("transfer pod listing", async function () {

expect(1000).to.equal(await beanstalk.plot(user2.address, 0, 0));

expect(await beanstalk.plot(user.address, 0, 0)).to.equal(0);

});

Similarly this test can be modified for above example.

Impact

Small price pod listings loosing more pods but getting lesser amount equivalent to lower pod amount.

Tools Used

Manual Review

Recommendations

Roundup correctly to avoid pod loss.

Updates

Lead Judging Commences

inallhonesty Lead Judge 11 months ago

Submission Judgement Published

Invalidated

Reason: Incorrect statement

Assigned finding tags:

pod listings with small pod prices are at risk of loosing more pods than amount paid

Prize pool breakdown

Total prize

250,000 USDC

nSLOC

12,285

20 USDC / LOC

High Medium

220,000 USDC

Low

10,000 USDC

Judges

20,000 USDC

Live

The contest is live. Earn rewards by submitting a finding.

Judging

Submissions are being carefully reviewed by our judges.

View all submissions

Appeals

This is your time to appeal against judgements on your submissions.

Appeals Review

Appeals are being carefully reviewed by our judges.

Rewards Distribution

The contest is complete and the rewards are being distributed.

View results

Support

FAQs

Can't find an answer? Chat with us on Discord, Twitter or Linkedin.