Report #15045

Report Date

December 22, 2022

Status

Closed

Payout

Price manipulation attack tricking the system into minting

‣

Report Info

BIC Response

The reported issue is in part accounted for as a result of EBIP-2 (which implemented a cap on the absolute value of time-weighted average deltaB) and is otherwise known and acknowledged by the BIC.

EBIP-2: https://github.com/BeanstalkFarms/Beanstalk-Governance-Proposals/blob/master/bip/ebip/ebip-2-deltab-cap.md

From the Solution section:

Putting limits on the Oracle significantly decreases the maximum effect of such an attack in the short term given the difficulty of repeated manipulation. This functions as a short term solution. BEAN:3CRV liquidity should be moved to a Well with a multi-block MEV resistant oracle once Wells are released.

Wells for reference: https://github.com/BeanstalkFarms/Wells

From the Remaining Vulnerability section:

The high cost to execute the attack and limited exposure to Beanstalk make the attack unattractive, but not impossible to execute. Therefore, it is important to migrate to a pool with a multi-block-MEV-resistant on-chain oracle for BEAN:3CRV.