Listings are not deleted when available amount falls below `minFillAmount`
- Contract fails to deliver promised returns, but doesn't lose value
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Following recent changes to the marketplace facet, it was noticed that the
minFillAmount parameter has been added to the
createPodListing() functions, both v1 and v2. Due to this addition, follow-up logic must be included to delete the listing if the listing is partially filled and the remaining amount is below the
An extreme example is if a user creates a listing for
100 pods with a
minFillAmount = 50.
If someone purchases 51 pods, then the listing will no longer be fillable because 49 < 50. It will simply exist on the Beanstalk UI, but all attempts to fill it will revert.
- Build up of unfillable listings.
Difficulty to Exploit: Easy Weakness: CVSS2 Score:
Simply check that the remaining amount of pods in the listing is larger than the minFillAmount. If not, delete the listing.
Hi, Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
- claimed impact by the whitehat is in scope for the bug bounty program
- claimed asset by the whitehat is in scope for the bug bounty program
has not been submittedto the project
- claimed severity is in scope for the bug bounty program
Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:
- check if whitehat's claims are factually correct
- check PoC to understand the validity
- assess the submission's severity
These activities are the project's responsibility.
The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.