📄

Report #13513

Report Date
November 14, 2022
Status
Confirmed
Payout
181,850

DIRECT THEFT OF FUNDS due to allowance set for Beanstalk

Report Info

BIR-3: transferTokenFrom External Balances

BIC Response

The BIC determined that:

  • The funds at risk were roughly $3.1M;
  • Any funds at risk were assets that users had approved to be used by Beanstalk;
  • At most 537k Beans could have been used to remove value from the BEAN:3CRV liquidity pool; and
  • Any non-Bean funds at risk could not have resulted in any loss of value in Beanstalk (apart from marginal amounts of BEAN3CRV LP, urBEAN and urBEAN3CRV).

We appreciate your thorough review of the funds at risk and responses. While the purpose of the bug bounty program is to increase the security of Beanstalk and is not necessarily concerned with non-Bean assets outside of Beanstalk, we acknowledge that a large portion of the funds at risk fall into this bucket.

Given this, the BIC has determined that the Bean portion be rewarded the full 10% and 5% for the remaining non-Bean assets outside of Beanstalk at risk:

537000 * 0.1 + ((3100000-537000) * .05) = 181850 Beans. (Funds at risk: 3.1M; Beans at risk: 537k.)

Halborn Response

I can confirm the issue, if a user has approved the Beanstalk contract it can be exploited as shown below
image