Proposed: January 2, 2024
Status: Passed
Link: Snapshot
Beanstalk Immunefi Committee
An attacker can DoS attack the GraphQL endpoint that serves the Beanstalk Subgraph. DoS attacks on centralized infrastructure (the subgraph is currently hosted on a Hetzner server) are not entirely mitigatable, but the current cloud server settings can be improved to mitigate this issue. A DoS attack on the subgraph would render parts of the UI temporarily unusable.
Based on the bug bounty program, this submission's ( Website and Applications - High ) reward is based on a set of internal criteria established by the BIC (with a minimum reward of USD 1 000), primarily taking into account the exploitability of the bug, the impact it causes and likelihood of the vulnerability presenting itself.
The BIC determined that the impact of this issue is low given the minimal temporary downtime that would be caused by an attack. The report also describes a DDoS attack on the Beanstalk subgraph, not the UI hosted at app.bean.money, which can partially function without the subgraph.
Given this, the BIC has determined that this report qualifies for a reward of 1,000 Beans.
The init function on the following InitMint contract is called:
We propose 1,000 Beans are minted to the following address in order to pay the bounty to the whitehat:
We propose 100 Beans are minted to the following address in order to pay the 10% fee to Immunefi: