📄

Report #29601

Report Date
March 26, 2024
Status
Closed
Payout

tidak dapat mengambil hasil yang di dapat

Report Info

Report ID

#29601

Report type

Smart Contract

Has PoC?

Yes

Target

https://etherscan.io/address/0xC1E088fC1323b20BCBee9bd1B9fC9546db5624C5

Impacts

  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
  • Temporary freezing of funds for at least 1 hour
  • Illegitimate minting of protocol native assets
  • Smart contract unable to operate due to lack of token funds
  • Block stuffing for profit
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas
  • Unbounded gas consumption
  • Contract fails to deliver promised returns, but doesn't lose value

Description

Provide a very short and concise (one paragraph) statement on what the problem is, and what the consequences would be if the bug were exploited in production/mainnet.

Vulnerability Details

Offer a detailed explanation of the vulnerability itself. Do not leave out any relevant information. Code snippets should be supplied whenever helpful, as long as they don’t overcrowd the report with unnecessary details. This section should make it obvious that you understand exactly what you’re talking about, and more importantly, it should be clear by this point that the vulnerability does exist.

Impact Details

Provide a detailed breakdown of possible losses from an exploit, especially if there are funds at risk. This illustrates the severity of the vulnerability, but it also provides the best possible case for you to be paid the correct amount. Make sure the selected impact is within the program’s list of in-scope impacts and matches the impact you selected.

References

Add any relevant links to documentation or code

Immunefi Response

Immunefi has reviewed this vulnerability report and decided to close since being out of scope for Beanstalk bug bounty program.
  • claimed impact by the whitehat is in scope for the bug bounty program
  • claimed asset by the whitehat is in scope for the bug bounty program
  • PoC has not been submitted to the project
  • claimed severity is in scope for the bug bounty program

Since this bug bounty program does not require Immunefi's triaging, note that Immunefi does not:

  • check if whitehat's claims are factually correct
  • check PoC to understand the validity
  • assess the submission's severity

These activities are the project's responsibility.

The project will now be automatically subscribed and receive a report of the closed submission and can evaluate if they are interested in re-opening it. However, note that they are not under any obligation to do so.