Report Date
November 8, 2023
Status
Confirmed
Payout
1,100,000
Beanstalk's all BEAN can be drained by hacker. Due to bug in convertFacet and LibWellConvert
‣
BIR-7: Verify Whitelisted Pool for Converts
BIC Response
Based on our bounty page, this submission's (Smart Contract - Critical) reward is capped at the lower of (a) 10% of practicable economic damage, or (b) USD 1 100 000, primarily taking into consideration Beans/BDV at risk and paid at the rate of 1 BEAN to 1 USD.
The BIC determined that the funds at risk were all of the Beans in the Beanstalk contract (~22.8M) given that an attacker could have Converted all of these Beans into their own Bean Deposits (which could then be Withdrawn and sold).
Given this, the BIC has determined that this report qualifies for the max reward of 1.1M Beans.