Beanstalk Immunefi Committee
Reward 10,000 Beans to the whitehat that reported the issue where Plots can be deleted for a user who has an open Pod Order with a minFillAmount
of 0.
If a Farmer created a Pod Order with a minFillAmount
of 0 and a maxPlaceInLine
such that they have some Pods that are before this place in line (e.g., a Farmer creates an Order with a maxPlaceInLine
of 50 million, and has a Plot at place 40 million in line), an attacker can fill this Pod Order (with a minFillAmount
of 0) and delete the Farmer's Plot (by setting index
to the index that the Farmer has).
Add a minFillAmount > 0
check to _createPodOrder
and _createPodOrderV2
, such that future Pod Orders cannot be created with a zero minFillAmount
.
Add an amount > 0
check to _fillPodOrder
and _fillPodOrderV2
to prevent existing Pod Orders from being executed with a zero amount
.
At the time of report submission, there were 2 open Pod Orders with a minFillAmount
of 0. One of the Pod Orders was not vulnerable because the Farmer did not have any Plots before maxPlaceInLine
. However, the Farmer with the other Pod Order had about 80,000 Pods that were at risk.
The most accurate impact in scope to describe this issue would be Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol) because the attacker has nothing to gain by doing this, and any "attack" could be reversed by the Beanstalk Community Multisig via EBIP.
However, given the exploitability of the issue, the BIC has determined that this bug report be rewarded the maximum reward for Medium severity reports of 10,000 Beans.