Proposed: November 23, 2022
Status: Passed
Link: Snapshot
Beanstalk Immunefi Committee
Per the process outlined in BIR Execution, once a BIR passes, the Beanstalk Community Multisig (BCM) executes it by:
According to Section 3.3 of the Root whitepaper, the amount of Roots to be Redeemed from a set of Deposits is derived from the maximum percentage change in the BDV, Stalk and Seeds of Root as a result of the Redemption.
However, in the Root code, the Roots to Redeem used the mininum instead of the maximum which allowed the user to receive more Bean Deposits than they were supposed to when Redeeming.
Update the _transferDeposits()
function to subtract the minimum amount remaining from the supply in accordance with Section 3.3 of the Root whitepaper. Because subtraction occurs in the _transferDeposits()
function, subtracting the maximum amount remaining from the supply resulted in the minimum of the change in BDV, Stalk and Seeds per Root required to Redeem being used instead of the maximum.
This was fixed in ERIP-0.
Although the Root token was not previously defined as in-scope, the BIC has decided due to the combination of the following reasons to offer a bounty for discovery of the bug and formally include the Root token contract in the Immunefi bug bounty program moving forward:
As a result of this vulnerability, Root holders were able to Redeem for Bean Deposits with fewer Roots than they otherwise would. However, the scale at which this vulnerability could manifest itself was marginal. About ~8,500 Roots had been Redeemed across 12 transactions and an additional ~226 Beans were received from those Redemptions than expected.
Given that:
(165,000 * 226) / 8500 = ~4387
Beans; andThe BIC determined that this bug report be rewarded 10,000 Beans.
The init
function on the following InitMint
contract is called:
We propose 10,000 Beans are minted to the following address in order to pay the bounty to the whitehat:
We propose 1,000 Beans are minted to the following address in order to pay the 10% fee to Immunefi: