Report #22958

Report Date
August 7, 2023

Beanstalk official discord server takeover (https://discord.gg/beanstalk)

Report Info

Report ID


Report type

Websites and Applications

Has PoC?





  • Redirecting users to malicious websites
  • Direct theft of user funds

Bug Description

When a web application has any pages, sources, links to external 3rd party services and are broken then the attacker can claim those endpoints to successfully conduct the attack and claim those endpoints on behalf of the target website and impersonate his identity

I have posted the news that shows what can be the real impact

https://www.vauld.com/insights/baycs-discord-server-hacked-again/ https://www.theblock.co/post/145432/opensea-discord-account-hacked-to-promote-scam-nft-pass




Many people will become victim because they are visiting the discord channel from the main page. The attacker can create same channel like beanstalk discord channel

and post malicious content like ransomware trojan etc on the discord which leads to theft of user fund Steal sensitive information like location, email, number etc

Redirect to the malicious website ( discord server)



Proof of concept

visit https://app.bean.money

In the header click on . . . 3 dot and click on discord icon

you will get invite invalid

open discord and click on your server setting

click on vanity URL

put this URL https://discord.gg/beanstalk

The discord channel is full takeover

BIC Response

This is not a valid bug report because Discord link hijacking is considered out of scope (OOS) due to its classification as a low-severity issue according to the Immunefi vulnerability severity classification system (https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/). We do not provide compensation for low severity Website and Applications issues.

Due to these reasons, we are closing the submission and no reward will be issued.