Report #19211

Report Date
April 14, 2023

Missing payable modifiers for important functions

Report Info

Report ID




Report type

Smart Contract


Any governance voting result manipulation

Has PoC?


Bug Description

A clear and concise description of the bug.


All functions of all Beanstalk diamond proxy smart-contract have payable modifier

In contract OwnershipFacet https://etherscan.io/address/0x5d45283ff53aabdb93693095039b489af8b18cf7

In functions transferOwnership and claimOwnership it is missing payable modifier to run this functions

i attached screenshot from etherscan to show POC that there is missing payable modifier for this functions

Risk Breakdown

Difficulty to Exploit: Easy Weakness: CVSS2 Score:

Proof of concept

i attached screenshots from etherscan for 0x5d45283ff53aabdb93693095039b489af8b18cf7 to show POC that there is missing payable modifier

BIC Response

The bug bounty program notes that: "All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, BCM, or Root DAO Multisig) are not eligible for a reward."

The BIC is already aware that a payable modifier is not on the transferOwnership and claimOwnership functions. More notably, it is not clear why this would be a vulnerability and the report does not state why this would be the case.

For these reasons, we are closing the submission and a reward will not be issued.