Report #20760

Report Date
May 24, 2023

Oracle vulnerable to Multi-block MEV attack

Report Info

BIC Response

The program states:

All vulnerabilities noted in any audit report in the Beanstalk Audits repository (or otherwise known by the BIC, BCM, or Root DAO Multisig) are not eligible for a reward.

This is not a valid security bug report because the BIC and BCM are already aware of the potential of a multi-block MEV attack on the Beanstalk oracle.

This is reflected by the existence of the deltaB cap that you reference ("which is limited to 1% of the total supply of Beans due to checkForMaxDeltaB"). You can read more about EBIP-2 here: https://bean.money/ebip-2.

Due to these reasons, we are closing the submission and no reward will be issued.