Report #25611

Report Date
November 12, 2023

Payable function using delegatecall inside a loop

Report Info

Report ID


Report type

Smart Contract

Has PoC?





  • Theft of unclaimed yield
  • Smart contract unable to operate due to lack of token funds
  • Temporary freezing of funds for at least 1 hour
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Any governance voting result manipulation

Bug Description

use of delegatecall inside a loop in a payable function. Depot.farm(bytes[]) (contracts/depot/Depot.sol line 55-66) has delegatecall inside a loop in a payable function:


the same msg.value amount will be accredited multiple times.

Risk Breakdown

Difficulty to Exploit: Easy


Carefully check that the function called by delegatecall is not payable/doesn't use msg.value

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has not been submitted to the project
  • claimed severity is in scope for the bug bounty program

Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:

  • check if whitehat's claims are factually correct
  • check PoC to understand the validity
  • assess the submission's severity

These activities are the project's responsibility.

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.