Cancelling a market pod orders returns multiple of funds deposited
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Cancelling a market pod order deposited the total pod amount ordered into my wallet, as opposed to the $BEAN amount I had offered. As a result 10x the amount I had deposited was returned back into my wallet.
In this case I had previously created a pod buy order of approx 1000 $bean, with a price per pod of 0.1. When I cancelled the order I received approx 10,000 $bean.
I performed both operations in the UI. I chose wallet (as opposed to farm balance) as the fund destination.
I have had successful pod orders in the past with this address.
I suspect either my past successful pod orders or the choice of my wallet as the fund destination triggered the bug.
Difficulty to Exploit: Easy
Immediately disable the pod market until this bug can be resolved. Users can abritrarily create pod orders and cancel them to drain funds.
Proof of concept
Steps to reproduce
- create a market order in the pod market
- cancel the market order
- select wallet as fund destination
- the total pod order amount (amount deposited / price per pod) should be deposited in wallet as erc-20 token.
After a review, the BIC believes that this should be classified as Medium (Smart contract unable to operate due to lack of token funds) for the following reasons:
- This bug would have only resulted in an excess of ~105,121 Beans being distributed to the 3 remaining addresses that created a V1 Pod Order before BIP-29 was committed;
- This loss would have only been realized if Farmers withdrew all remaining assets from Beanstalk (Farm balances, the Silo, etc.); and
- More info here: https://github.com/BeanstalkFarms/Beanstalk-Governance-Proposals/blob/master/bip/ebip/ebip-4-remove-v1-pod-order-functions.md
Based on our bounty page, this submission and the new proposed severity (Smart Contract - Medium) comes with a reward of $1,000 to $10,000 to be paid in Beans. However, given your graciousness in returning the funds, the BIC would like to reward you 11,000 Beans for this bug report.