Report Date
December 16, 2022
Status
Closed
Payout
Address Poisoning Attack (Phishing threat)
‣
BIC Response
This is not a security bug report because this is expected behavior.
Beanstalk was built with the philosophy that it is not the smart contract's role to protect users against misuse. Adding validation would reduce gas efficiency.
Also, it should be noted that this type of attack is (1) present within all ERC-20 tokens, (2) not exploitable without the user incorrectly manually entering an address that they find on a block explorer from a "poisoning" transaction and (3) the withdrawDeposit function only allows the user to withdraw their own Deposits, so it is actually the transferDeposit function that could result in poisoning.
Due to these reasons, we are closing the submission and no reward will be issued.