Report #13461

Report Date

November 12, 2022

Status

Confirmed

Payout

11,000

Cancelling a market pod orders returns multiple of funds deposited

‣

Report Info

Report ID

#13461

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Bug Description

Cancelling a market pod order deposited the total pod amount ordered into my wallet, as opposed to the $BEAN amount I had offered. As a result 10x the amount I had deposited was returned back into my wallet.

In this case I had previously created a pod buy order of approx 1000 $bean, with a price per pod of 0.1. When I cancelled the order I received approx 10,000 $bean.

I performed both operations in the UI. I chose wallet (as opposed to farm balance) as the fund destination.

I have had successful pod orders in the past with this address.

I suspect either my past successful pod orders or the choice of my wallet as the fund destination triggered the bug.

Risk Breakdown

Difficulty to Exploit: Easy

Recommendation

Immediately disable the pod market until this bug can be resolved. Users can abritrarily create pod orders and cancel them to drain funds.

Proof of concept

Steps to reproduce

create a market order in the pod market
cancel the market order
select wallet as fund destination
the total pod order amount (amount deposited / price per pod) should be deposited in wallet as erc-20 token.

BIR-2: V1 Pod Order Backwards Compatibility

BIC Response

After a review, the BIC believes that this should be classified as Medium (Smart contract unable to operate due to lack of token funds) for the following reasons:

This bug would have only resulted in an excess of ~105,121 Beans being distributed to the 3 remaining addresses that created a V1 Pod Order before BIP-29 was committed;
This loss would have only been realized if Farmers withdrew all remaining assets from Beanstalk (Farm balances, the Silo, etc.); and
More info here: https://github.com/BeanstalkFarms/Beanstalk-Governance-Proposals/blob/master/bip/ebip/ebip-4-remove-v1-pod-order-functions.md

Based on our bounty page, this submission and the new proposed severity (Smart Contract - Medium) comes with a reward of $1,000 to $10,000 to be paid in Beans. However, given your graciousness in returning the funds, the BIC would like to reward you 11,000 Beans for this bug report.