Proposed: October 30, 2023
Status: Passed
Link: Snapshot
Beanstalk Immunefi Committee
Mint 100,000 Beans to the whitehat that reported the issue fixed in EBIP-10.
Per the process outlined in BIR Execution, once a BIR passes, the Beanstalk Community Multisig (BCM) executes it by minting Beans to the whitehat's address in order to cover the bug bounty. No fee is minted in this instance because this bug was reported directly to the BIC outside of the Immunefi platform.
In Wells (i.e., only BEANETH currently), Farmers could Convert Deposited Beans to Deposited LP tokens past peg. Additionally, If a Farmer had enough Deposited Beans to Convert past peg, it was possible for that Farmer to Convert Deposited Beans to Deposited LP tokens up to the total amount of Beans in the Beanstalk contract.
This was because in LibWellConvert._wellAddLiquidityTowardsPeg, Beanstalk was Converting (1) the amount the user input (beans), rather than (2) the minimum of the amount the user input and the amount required to Convert to peg (beansConverted).
Upgrade Beanstalk to only allow Converts from Beans to LP tokens in Wells up to (2), i.e., beansConverted.
This was fixed in EBIP-10.
The BIC determined that the funds at risk were all of the Beans in the Beanstalk contract (~23M) given that an attacker could have Converted all of these Beans into BEANETH Well LP tokens, removed the liquidity and sold the Beans. The amount of ETH that could be stolen combined with the subsequent crash in the Bean price would have resulted economic damage of over $11M.
Given this, the BIC has determined that this report would qualify for the max reward on Immunefi of 1.1M Beans. However, the whitehat has graciously accepted an offer of 100,000 Beans as a reward, given their long term alignment with Beanstalk.
The init function on the following InitMint contract is called:
We propose 100,000 Beans are minted to the following address in order to pay the bounty to the whitehat: