Report #28431

Report Date
February 13, 2024

Converting Beans/ETH to Unripe Tokens

Report Info

BIR-13: Minting Unripe LP During Convert

BIC Response

The BIC has determined that the most appropriate impact for this report is "Illegitimate minting of protocol native assets", i.e., High severity, as a result of the potential for minting Unripe assets.

Based on our bounty page, this submission's ( Smart Contract - High ) reward is capped at the lower of (a) 100% of practicable economic damage, or (b) USD 100 000 (paid 1:1 in Beans), primarily taking into consideration the Funds at Risk. However, there is a minimum reward of USD 10 000 for High severity smart contract bug reports.

We do not believe that this vulnerability can be considered to result in any practicable economic damage.

Potential for Theft of funds: According to this [blog](https://bean.money/blog/a-farmers-guide-to-the-barn-raise), in certain edge cases, it might be possible for Unripe assets to exceed their pre-exploit balance valuation. This can result in a theft of assets, for example, by converting 100 Beans might yield Unripe assets valued at 101 Beans, effectively allowing attackers to exploit the protocol and steal.

This is not a practicable concern given the current Chop Rate of >99%.

Additionally, the test demonstrating an attacker converting 50,000 BEANS to 219,500 Unripe Beans reveals a sooner-than-anticipated break-even point, than the the instance when 1 Unripe Bean is equal to 1 Bean. At the moment when 1 Unripe Bean equals merely 0.25 Bean, given the conversion ratio of 50 to 219, an attacker can steal all of the Beans from the protocol.

It is not accurate to say that 1 Unripe Bean "equals" 0.25 Beans‚ÄĒalthough the BDV of Unripe Beans is ~0.224, the liquidatable value of an Unripe Beans is currently <0.01 Beans via Chopping. As a result, this attack would not be profitable by a significant margin.

For these reasons, the BIC has determined that the practicable economic damage for this vulnerability is zero. Given this, the BIC has determined that this bug report be rewarded 10,000 Beans.