Beanstalk Farms is a decentralized development organization working on Beanstalk, Basin and Pipeline. Root is a protocol built on top of Beanstalk.
This bug bounty program is focused on securing all 4 projects:
- Beanstalk is a permissionless fiat stablecoin protocol;
- Basin is a composable EVM-native decentralized exchange protocol;
- Pipeline is a sandbox contract that can execute an arbitrary number of actions within the EVM from an EOA in a single transaction; and
- Root is a permissionless fungible wrapper that enables collective farming for Beanstalk Silo Deposits.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. The following is a simplified 3-level scale, focusing on the impact of the vulnerability reported. The complete scope can be found below.
In order to be considered for the maximum potential reward, bug reports must come with (1) a Proof of Concept (PoC), and (2) code implementing the fix. Explanations and statements are not accepted in lieu of a PoC and code implementing the fix. Bug reports that do not come with a PoC and code implementing a fix may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee. Given that the focus of the bug bounty program is Beans/BDV at risk, Circulating non-Bean assets at risk may qualify for a maximum of up to 50% of the potential reward outlined below, as determined by the BIC.
Rewards for Critical smart contract vulnerabilities are capped at the lower of (a) 10% of practicable economic damage, or (b) USD 1 100 000, primarily taking into consideration Beans/BDV at risk. However, there is a minimum reward of USD 100 000 for Critical severity smart contract bug reports.
Rewards for High smart contract vulnerabilities are capped at the lower of (a) 100% of practicable economic damage, or (b) USD 100 000, primarily taking into consideration Beans/BDV at risk. However, there is a minimum reward of USD 10 000 for High severity smart contract bug reports.
Rewards for Medium severity smart contract vulnerabilities and all website and applications vulnerabilities are scaled based on a set of internal criteria established by the BIC. However, there is a minimum reward of USD 1 000 for Medium smart contract bug reports, USD 5 000 for Critical website and applications bug reports and USD 1 000 for High website and applications bug reports. The BIC will primarily take into account:
- The exploitability of the bug;
- The impact it causes; and
- The likelihood of the vulnerability presenting itself.
Payouts are handled by the Beanstalk Community Multisig (BCM) directly and are done in BEAN at the rate of 1 BEAN to 1 USD (i.e., amounts listed above are actually in BEAN).
All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, BCM, or Root DAO Multisig) are not eligible for a reward.
The BIC shall determine whether a submitting party is entitled to a bug bounty/reward, and if so, the amount of such bounty/reward (and specifically, whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, what is the potential practicable economic damage of such bug based on the Beans/BDV at risk, and what the appropriate bounty/reward should be within each Impact range). The BIC’s determination of (i) whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, (ii) what is the potential practicable economic damage of such bug based on the Beans/BDV at risk, and (iii) whether such submission came with a PoC and code implementing a fix, thereby enabling it to be considered for the maximum potential applicable reward (vs. a submission that did not come with a PoC and code implementing a fix, thereby limiting such submission to a maximum of up to 30% of the applicable reward), shall be made in the BIC’s sole and absolute discretion absolute and shall be final, and not be subject to any appeal or challenge.
A submitting party may only dispute the BIC’s determination (a) that a submitting party is not entitled to any bug bounty/reward, or (b) what the appropriate bounty/reward should be within each Impact range. In such disputes, Immunefi will conduct a binding mediation. If the submitting party disputes the BIC’s decision that a submitting party is not entitled to any bug bounty/reward, Immunefi will mediate, and shall determine, in its sole and absolute discretion, which is non-appealable, whether the submitting party is entitled to any bug bounty/reward, and if so, the amount of such bug bounty/reward, up to USD 10 000 in the case of a smart contract bug reports (i.e., as if it were a Medium Impact fix), and up to USD 1 000 in the case of a website and applications bug report (i..e, as if it were a High Impact fix). If the submitting party disputes the BIC’s determination what the appropriate bounty/reward should be within a specific Impact range, Immunefi will mediate, and shall determine, in its sole and absolute discretion, which is non-appealable, the amount of such bug bounty/reward in the relevant Impact category; however, Immunefi may not modify or change (i) the practicable economic damage determination made by the BIC, or (b) the BIC’s determination whether such submission came with a PoC and code implementing a fix, thereby enabling it to be considered it for the maximum potential applicable reward (vs. a submission that did not come with a PoC and code implementing a fix, thereby limiting such submission to a maximum of up to 30% of the applicable reward).
- USD $100,000 up to USD $1,100,000
- USD $10,000 up to USD $100,000
- USD $1,000 up to USD $10,000
Websites and Applications
- USD $5,000 up to USD $50,000
- USD $1,000 up to USD $5,000
Assets in scope
- Smart Contract - Bean ERC-20 tokenType
- Smart Contract - Unripe Bean ERC-20 tokenType
- Smart Contract - Unripe BEAN:3CRV LP ERC-20 tokenType
- Smart Contract - Fertilizer ERC-1155 tokenType
- Smart Contract - BeanstalkType
- Smart Contract - Fertilizer ImplementationType
- Smart Contract - AquiferType
- Smart Contract - Constant Product 2 Well FunctionType
- Smart Contract - Multi Flow PumpType
- Smart Contract - Well ImplementationType
- Smart Contract - BEAN:ETH WellType
- Smart Contract - PipelineType
- Smart Contract - DepotType
- Smart Contract - Root ERC-20 TokenType
- TargetWebsites and Applications - Beanstalk UIType
If an impact can be caused to any other asset related to Beanstalk that isn’t on this section but for which the impact is in the Impacts in Scope section below, bug bounty hunters are encouraged to submit it for consideration by the BIC.
Note that unexpected outcomes (like loss of funds) due to misuse of Pipeline do not qualify as valid bug reports. Read more here.
Undeployed Code in Scope
The BIC also maintains a list of pull requests/repositories whose code is considered in-scope but has not yet been deployed on-chain. This code has been audited. The following code is in-scope of the bug bounty program:
- None at this time
All Beanstalk smart contracts and the Beanstalk UI can be found at https://github.com/BeanstalkFarms/Beanstalk. However, only those in the Assets in Scope section are considered as in-scope of the bug bounty program. The following links may also be helpful:
- Beanstalk Whitepaper
- Beanstalk Docs
- Beanstalk Technical Docs
- Beanstalk GitHub
- Beanstalk Discord
- Beanstalk on Louper
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Any governance voting result manipulationCriticalImpact
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Theft of unclaimed yieldHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Temporary freezing of funds for at least 1 hourHighImpact
- Illegitimate minting of protocol native assetsHighImpact
- Smart contract unable to operate due to lack of token fundsMediumImpact
- Block stuffing for profitMediumImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Theft of gasMediumImpact
- Unbounded gas consumptionMediumImpact
- Contract fails to deliver promised returns, but doesn't lose valueMediumImpact
Websites and Applications
- Taking down the application/website requiring manual restorationCriticalImpact
- Redirecting users to malicious websitesCriticalImpact
- Direct theft of user fundsCriticalImpact
- Ability to execute arbitrary system commandsCriticalImpact
- Injecting code that results in malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactionsCriticalImpact
- Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governanceCriticalImpact
- A temporary or self-correcting loss of website availability (e.g. a mitigatable vulnerability to DDoS)HighImpact
- Lack of valid SSL/TLSHighImpact
- Subdomain takeover other than app.bean.moneyHighImpact
- Persistent content spoofing / text injection issuesHighImpact
Out of Scope & Rules
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Attacks that the reporter has already exploited themselves, leading to damage;
- Attacks requiring access to leaked keys/credentials; and
- Attacks requiring access to privileged addresses (governance, strategist).
- Incorrect data supplied by third party oracles;
- Not to exclude oracle manipulation/flash loan attacks;
- Basic economic governance attacks (e.g., 51% attack);
- Lack of liquidity;
- Best practice critiques;
- Sybil attacks; and
- Centralization risks.
Website and Applications
- Theoretical vulnerabilities without any proof or demonstration
- CSRF with no security impact (logout CSRF, change language, etc.)
- Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”)
- Server-side information disclosure such as IPs, server names, and most stack traces
- Vulnerabilities requiring unlikely user actions
- A non-mitigatable DDoS vulnerability
- Feature requests
- Best practices issues without concrete impact and PoC
- Vulnerabilities primarily caused by browser/plugin defects
- Leakage of non sensitive API keys such as Etherscan, Infura, Alchemy, etc.
- Any vulnerability exploit requiring CSP bypass resulting from a browser bug
The following activities are prohibited by this bug bounty program and could result in disqualification of reception of a bounty, in the sole and absolute discretion of the BIC:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets;
- Any testing with pricing oracles or third party smart contracts;
- Attempting phishing or other social engineering attacks against our contributors and/or users;
- Any testing with third party systems and applications (e.g., browser extensions) as well as websites (e.g., SSO providers, advertising networks);
- Any denial of service attacks;
- Automated testing of services that generates significant amounts of traffic; and
- Public disclosure of an unpatched vulnerability in an embargoed bounty.