Proposed: November 22, 2023
Status: Passed
Link: Snapshot
Beanstalk Immunefi Committee
convert
function in EBIP-12; andSince Replant and prior to this EBIP, Converts did not validate that the pool being Converted in is whitelisted, which would have allowed an attacker to Convert all Beans in the the Beanstalk contract into their own Bean Deposits (which could then be Withdrawn and sold).
Add require
statements in LibWellConvert
that verify that the Well being Converted in is whitelisted.
This was fixed in EBIP-13.
The BIC determined that the funds at risk were all of the Beans in the Beanstalk contract (~22.8M at the time of the report) given that an attacker could have Converted all of these Beans into their own Bean Deposits (which could then be Withdrawn and sold).
Given this, the BIC has determined that this report qualifies for the max reward on Immunefi of 1.1M Beans.
The init
function on the following InitMint
contract is called:
We propose 1,100,000 Beans are minted to the following address in order to pay the bounty to the whitehat:
We propose 110,000 Beans are minted to the following address in order to pay the 10% fee to Immunefi: