Beanstalk
This bug bounty program is focused on securing all 3 of the following projects:
- Beanstalk is a permissionless fiat stablecoin protocol;
- Basin is a composable EVM-native decentralized exchange protocol; and
- Pipeline is a sandbox contract that can execute an arbitrary number of actions within the EVM from an EOA in a single transaction.
There is a list of resources (docs, repositories, etc.) under the Assets in Scope section. You can also check out past bug reports and past bounty payouts for this bug bounty program.
Bounties are paid in BEAN via the Beanstalk Immunefi Committee Multisig (BICM). For more details about the payment process, please view the Rewards by Threat Level section further below.
Triaged by Immunefi
PoC required
Vault program
If an impact can be caused to any other asset related to Beanstalk that isn’t on this section but for which the impact is in the Impacts in Scope section below, bug bounty hunters are encouraged to submit it for consideration by the BIC.
Note that unexpected outcomes (like loss of funds) due to misuse of Pipeline and/or Depot do not qualify as valid bug reports. Read more here.
Also note that the various ecosystem subgraphs (Beanstalk, Bean, Basin, etc.) are not included as Assets in Scope.
Undeployed Code in Scope
The BIC also maintains a list of pull requests/repositories whose code is considered in-scope but has not yet been deployed on-chain. This code has been audited. The following code is in-scope of the bug bounty program:
- None at this time
Additional Resources
All Beanstalk smart contracts and the Beanstalk UI can be found at https://github.com/BeanstalkFarms/Beanstalk. However, only those in the Assets in Scope section are considered as in-scope of the bug bounty program. The following links may also be helpful:
Beanstalk
- Beanstalk Whitepaper
- Beanstalk Docs
- Beanstalk Technical Docs
- Beanstalk GitHub
- Beanstalk Discord
- Beanstalk on Louper
Basin
Pipeline