Committed: September 5, 2022
Beanstalk Community Multisig
Per the process outlined in the BCM Emergency Response Procedures, an emergency hotfix may be implemented by an emergency vote of the BCM if the bug is minor and does not require significant code changes.
Note: Bugs or security vulnerabilities qualify as emergencies. Emergency action will not be taken for any reason related to the economic health of Beanstalk (like a bank run, for example).
The BCM has updated Beanstalk to remove the chop() function which was vulnerable. After searching for the chop() event, it appears that no one had called the chop() function yet. Therefore, the vulnerability was never exploited.
You can read more about the vulnerability in Halborn's audit report of BIP-24 on pages 15-18.
Remove the chop() function until a new implementation can be sufficiently audited and re-added via BIP.
chop() is not a frequently used function, so it is acceptable for Beanstalk to remain operational and Unpaused while the chop() is unable to be called.
The chop() function will be re-added to the contract via an additional update as soon as possible and once Halborn has approved the fixes.
Immediately upon commit by the BCM, which has already happened.
chop() in UnripeFacet