Stable 2 Well Function, Lookup Table with A = 1

If an impact can be caused to any other asset related to Beanstalk that isn’t on this section but for which the impact is in the Impacts in Scope section below, bug bounty hunters are encouraged to submit it for consideration by the BIC. 

Note that unexpected outcomes (like loss of funds) due to misuse of Pipeline and/or Depot do not qualify as valid bug reports. Read more [here](https://evmpipeline.org/pipeline.pdf?utm_source=immunefi#section.6).

Also note that the various ecosystem subgraphs ([Beanstalk](https://graph.node.bean.money/subgraphs/name/beanstalk/graphql), [Bean](https://graph.node.bean.money/subgraphs/name/beanstalk/bean), [Basin](https://graph.node.bean.money/subgraphs/name/beanstalk/basin), etc.) are not included as Assets in Scope. 

__Undeployed Code in Scope__

The BIC also maintains a list of pull requests/repositories whose code is considered in-scope but has not yet been deployed on-chain. This code has been audited. The following code is in-scope of the bug bounty program:
  - None at this time

__Additional Resources__

All Beanstalk smart contracts and the Beanstalk UI can be found at [https://github.com/BeanstalkFarms/Beanstalk](https://github.com/BeanstalkFarms/Beanstalk). However, only those in the Assets in Scope section are considered as in-scope of the bug bounty program. The following links may also be helpful:

Beanstalk
  - [Beanstalk Whitepaper](https://bean.money/beanstalk.pdf)
  - [Beanstalk Docs](https://docs.bean.money/almanac/)
  - [Beanstalk Technical Docs](https://docs.bean.money/developers)
  - [Beanstalk GitHub](https://github.com/BeanstalkFarms/Beanstalk)
  - [Beanstalk Discord](https://discord.gg/beanstalk)
  - [Beanstalk on Louper](https://louper.dev/diamond/0xc1e088fc1323b20bcbee9bd1b9fc9546db5624c5) 

Basin
  - [Basin Whitepaper](https://basin.exchange/basin.pdf)
  - [Multi Flow Pump Whitepaper](https://basin.exchange/multi-flow-pump.pdf)
  - [Basin Docs](https://docs.basin.exchange/)
  - [Basin GitHub](https://github.com/BeanstalkFarms/Basin)
  - [Basin Discord](https://basin.exchange/discord)

Pipeline
  - [Pipeline Whitepaper](https://evmpipeline.org/pipeline.pdf)
  - [Pipeline GitHub](https://github.com/BeanstalkFarms/Pipeline)

This bug bounty program is focused on securing all 3 of the following projects:
  - [Beanstalk](https://bean.money/) is a permissionless fiat stablecoin protocol;
  - [Basin](https://basin.exchange/) is a composable EVM-native decentralized exchange protocol; and
  - [Pipeline](https://evmpipeline.org/) is a sandbox contract that can execute an arbitrary number of actions within the EVM from an EOA in a single transaction. 

Theft of unclaimed yield

Permanent freezing of unclaimed yield

Temporary freezing of funds for at least 1 hour

Illegitimate minting of protocol native assets

Persistent content spoofing / text injection issues

Smart contract unable to operate due to lack of token funds

Block stuffing for profit

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Theft of gas

Unbounded gas consumption

Contract fails to deliver promised returns, but doesn't lose value

Invariant is missing on a function where it should be implemented

Exploit is possible but is exclusively prevented by an invariant

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of funds

Taking down the application/website requiring manual restoration

Redirecting users to malicious websites

Direct theft of user funds

Ability to execute arbitrary system commands

Injecting code that results in malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions

Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as voting in governance

Rewards are distributed according to the impact of the vulnerability based on the [Immunefi Vulnerability Severity Classification System V2.3](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-3/). The following is a simplified 3-level scale, focusing on the impact of the vulnerability reported. The complete scope can be found below.

In order to be considered for the maximum potential reward, bug reports must come with a Proof of Concept (PoC). Explanations and statements are not accepted in lieu of a PoC. Bug reports that do not come with a PoC may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee. 

Funds at Risk for a given bug report are defined as follows:

  - Funds at Risk are determined based on the token amounts and USD values at time of the bug report submission;
  - For Beans, Funds at Risk are determined based on the liquidatable USD value of the Beans at risk;
  - For non-Beans (ETH, WETH, 3CRV, USDC, DAI, USDT, etc.) in any in-scope assets, the Funds at Risk are determined based on their respective USD values;
  - For Circulating non-Beans (i.e., outside of any in-scope assets), the Funds at Risk are determined to be 50% of their respective USD values; and
  - If the smart contract where the vulnerability exists can be upgraded or paused, only the Funds at Risk in initial attacks that can be executed within the first hour will be considered for a reward.

__Reward Calculation for Critical Smart Contract Reports__

Rewards for Critical smart contract vulnerabilities are capped at the lower of (a) 10% of practicable economic damage, or (b) __USD 1 100 000__, primarily taking into consideration the Funds at Risk. However, there is a minimum reward of __USD 100 000__ for Critical severity smart contract bug reports.

__Reward Calculation for High Smart Contract Reports__

Rewards for High smart contract vulnerabilities are capped at the lower of (a) 10% of practicable economic damage, or (b) __USD 100 000__, primarily taking into consideration the Funds at Risk. However, there is a minimum reward of __USD 10 000__ for High severity smart contract bug reports.

__Reward Calculation for Medium Smart Contract and All Website and Applications Reports__

Rewards for Medium severity smart contract vulnerabilities and all website and applications vulnerabilities are scaled based on a set of internal criteria established by the BIC. However, there is a minimum reward of USD 1 000 for Medium smart contract bug reports, __USD 5 000__ for Critical website and applications bug reports and __USD 1 000__ for High website and applications bug reports. The BIC will primarily take into account:

  - The exploitability of the bug;
  - The impact it causes; and
  - The likelihood of the vulnerability presenting itself.

__Reward Payment Terms__

Payouts are handled by the [Beanstalk Immunefi Committee Multisig (BICM)](https://docs.bean.money/almanac/governance/beanstalk/bicm-dashboard) directly and are done in BEAN at the rate of 1 BEAN to 1 USD (i.e., amounts listed above are actually in BEAN) independent of liquidity (see BEAN liquidity [here](https://app.bean.money/#/analytics?bean=liquidity)—as of writing, Beans have over $28M of liquidity, primarily on [Basin](https://basin.exchange/#/wells)). Note that due to the decentralized governance process for rewarding bug bounties, rewards can take several days to be paid out after a report is confirmed to be valid.

__BIC Determination__

The BIC shall determine whether a submitting party is entitled to a bug bounty/reward, and if so, the amount of such bounty/reward (and specifically, whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, what is the potential practicable economic damage of such bug based on the Funds at Risk, and what the appropriate bounty/reward should be within each Impact range). The BIC’s determination of (i) whether such submission qualifies for a Critical, High or Medium Impact bounty/reward, (ii) what is the potential practicable economic damage of such bug based on the Funds at Risk, and (iii) whether such submission came with a PoC, thereby enabling it to be considered for the maximum potential applicable reward (vs. a submission that did not come with a PoC, thereby limiting such submission to a maximum of up to 30% of the applicable reward), shall be made in the BIC’s sole and absolute discretion absolute and shall be final, and not be subject to any appeal or challenge.

A submitting party may only dispute the BIC’s determination (a) that a submitting party is not entitled to any bug bounty/reward, or (b) what the appropriate bounty/reward should be within each Impact range. In such disputes, Immunefi will conduct a binding mediation. If the submitting party disputes the BIC’s decision that a submitting party is not entitled to any bug bounty/reward, Immunefi will mediate, and shall determine, in its sole and absolute discretion, which is non-appealable, whether the submitting party is entitled to any bug bounty/reward, and if so, the amount of such bug bounty/reward, up to __USD 10 000__ in the case of a smart contract bug reports (i.e., as if it were a Medium Impact fix), and up to __USD 1 000__ in the case of a website and applications bug report (i..e, as if it were a High Impact fix). If the submitting party disputes the BIC’s determination what the appropriate bounty/reward should be within a specific Impact range, Immunefi will mediate, and shall determine, in its sole and absolute discretion, which is non-appealable, the amount of such bug bounty/reward in the relevant Impact category; however, Immunefi may not modify or change (i) the practicable economic damage determination made by the BIC, or (b) the BIC’s determination whether such submission came with a PoC, thereby enabling it to be considered it for the maximum potential applicable reward (vs. a submission that did not come with a PoC, thereby limiting such submission to a maximum of up to 30% of the applicable reward).