Beanstalk-logo

Beanstalk

This bug bounty program is focused on securing all 3 of the following projects:

  • Beanstalk is a permissionless fiat stablecoin protocol;
  • Basin is a composable EVM-native decentralized exchange protocol; and
  • Pipeline is a sandbox contract that can execute an arbitrary number of actions within the EVM from an EOA in a single transaction.

There is a list of resources (docs, repositories, etc.) under the Assets in Scope section. You can also check out past bug reports and past bounty payouts for this bug bounty program.

Bounties are paid in BEAN via the Beanstalk Immunefi Committee Multisig (BICM). For more details about the payment process, please view the Rewards by Threat Level section further below.

ETH
Defi
Infrastructure
DAO
DEX
Stablecoin
Solidity
Typescript
Maximum Bounty
$1,100,000
Live Since
11 October 2022
Last Updated
04 December 2024
  • Triaged by Immunefi

  • PoC required

  • Vault program

If an impact can be caused to any other asset related to Beanstalk that isn’t on this section but for which the impact is in the Impacts in Scope section below, bug bounty hunters are encouraged to submit it for consideration by the BIC.

Note that unexpected outcomes (like loss of funds) due to misuse of Pipeline and/or Depot do not qualify as valid bug reports. Read more here.

Also note that the various ecosystem subgraphs (Beanstalk, Bean, Basin, etc.) are not included as Assets in Scope.

Undeployed Code in Scope

The BIC also maintains a list of pull requests/repositories whose code is considered in-scope but has not yet been deployed on-chain. This code has been audited. The following code is in-scope of the bug bounty program:

  • None at this time

Additional Resources

All Beanstalk smart contracts and the Beanstalk UI can be found at https://github.com/BeanstalkFarms/Beanstalk. However, only those in the Assets in Scope section are considered as in-scope of the bug bounty program. The following links may also be helpful:

Beanstalk

Basin

Pipeline