📄

Report #13461

Report Date
November 12, 2022

Cancelling a market pod orders returns multiple of funds deposited

Report Info

Report ID

#13461

Target

Report type

Smart Contract

Impacts

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Has PoC?

Yes

Bug Description

Cancelling a market pod order deposited the total pod amount ordered into my wallet, as opposed to the $BEAN amount I had offered. As a result 10x the amount I had deposited was returned back into my wallet.

In this case I had previously created a pod buy order of approx 1000 $bean, with a price per pod of 0.1. When I cancelled the order I received approx 10,000 $bean.

I performed both operations in the UI. I chose wallet (as opposed to farm balance) as the fund destination.

I have had successful pod orders in the past with this address.

I suspect either my past successful pod orders or the choice of my wallet as the fund destination triggered the bug.

Risk Breakdown

Difficulty to Exploit: Easy

Recommendation

Immediately disable the pod market until this bug can be resolved. Users can abritrarily create pod orders and cancel them to drain funds.

Proof of concept

Steps to reproduce

  1. create a market order in the pod market
  2. cancel the market order
  3. select wallet as fund destination
  4. the total pod order amount (amount deposited / price per pod) should be deposited in wallet as erc-20 token.

BIR-2: V1 Pod Order Backwards Compatibility

BIC Response

After a review, the BIC believes that this should be classified as Medium (Smart contract unable to operate due to lack of token funds) for the following reasons:

Based on our bounty page, this submission and the new proposed severity (Smart Contract - Medium) comes with a reward of $1,000 to $10,000 to be paid in Beans. However, given your graciousness in returning the funds, the BIC would like to reward you 11,000 Beans for this bug report.