Beanstalk Notion
Beanstalk Notion
/
🪲
Bug Reports
/
BIC Notes
/
📄
Report #31530
📄

Report #31530

Report Date
May 20, 2024
Status
Closed
Payout

Significant Slowing of Entire Website

‣
Report Info

Report ID

#31530

Report type

Websites and Applications

Has PoC?

Yes

Target

https://app.bean.money

Impacts

Taking down the application/website requiring manual restoration

Description

I've discovered a bug on the Forecast page in the stock trackers when switching between W M and ALL on the top right on desktop.

Vulnerability Details

When I switch between W M and ALL it lags the website. At first I thought it was just on the client end but I tested the connection on different devices and the website was slower than usual. Something about the stock trackers causes increased CPU and memory usage. Not only did it slow down the website on all devices but it also slowed down my browser on my desktop. The lagging lasted approximately 1 minute.

Impact Details

I'm concerned that excessive abuse of this function could cause an overload and crash the servers, requiring manual restoration.

References

https://app.bean.money/

Example Video: https://drive.google.com/file/d/1e0KRFxiG5iuO8OD-kYVmXwuW4aSpndIB/view

Proof of concept

Video URL attached. Doing this for a long period resulted in lagging of the entire website on multiple devices. The lagging lasted approximately 1 minute.

Immunefi Response

Thank you for your submission to the Beanstalk bug bounty program. Unfortunately, after reviewing your report, Immunefi has decided to close it due to the assessed impact being out of scope.

Immunefi review:

  • The claimed impact Taking down the application/website requiring manual restoration by the whitehat is in the scope of the bug bounty program but the assessed impact doesn't match with the claimed impact for the following reasons.
    • The whitehat didn't provide enough information on the attack vector that could lead to the claimed impact. The whitehat is describing an issue associated with the API functionality for rendering the statistics for the beanstalk. Hence, we are closing the issue under the best practices for UI/UX issues.
  • assessed asset by the triage team is in scope for the bug bounty program
  • PoC has been submitted to the project

Please note that the project will receive a report of the closed submission and may choose to re-open it, but they are not obligated to do so.