Report Date
May 24, 2023
Status
Closed
Payout
Oracle vulnerable to Multi-block MEV attack
‣
BIC Response
The program states:
All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, BCM, or Root DAO Multisig) are not eligible for a reward.
This is not a valid security bug report because the BIC and BCM are already aware of the potential of a multi-block MEV attack on the Beanstalk oracle.
This is reflected by the existence of the deltaB cap that you reference ("which is limited to 1% of the total supply of Beans due to checkForMaxDeltaB"). You can read more about EBIP-2 here:Â https://bean.money/ebip-2.
Due to these reasons, we are closing the submission and no reward will be issued.