A bug bounty program with Immunefi was launched on October 11, 2022. This bug bounty program is focused on the Beanstalk smart contracts and preventing the loss of Farmers’ assets within Beanstalk and other ecosystem smart contracts. The maximum bounty is 1,100,000 Beans.
You can find the bug bounty program and submit bug reports here:
Beanstalk Bug Bounties | Immunefi
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. The following is a simplified 3-level scale, focusing on the impact of the vulnerability reported. The complete scope can be found below.
In order to be considered for the maximum potential reward, bug reports must come with (1) a Proof of Concept (PoC), and (2) code implementing the fix.
Bug reports that do not come with a PoC and code implementing a fix may qualify for a maximum of up to 30% of the potential reward outlined below, as determined by the Beanstalk Immunefi Committee (BIC). You can read more about the BIC here:
All vulnerabilities noted in any Halborn audit reports or the Trail of Bits audit report (or otherwise known by the BIC or BCM) are not eligible for a reward.
The following are notes on each bug report that has come in through Immunefi, the BIC’s response, any supporting information from auditors, etc. Notes are logged here once 7 days pass after the last reply in a bug report.
If you have questions about anything you see, join the Beanstalk Discord and ask in the (#❓ • questions) channel!