Proposed: January 31, 2024
Status: Failed
Beanstalk Immunefi Committee
- Mint 1,000 Beans to the whitehat that reported the Stalk ownership griefing issue; and
- Mint 100 Beans to Immunefi's address in order to cover the 10% fee.
By calling transferDeposit with an amount of 0, anyone is able to steal 1 root (an internal accounting variable used to track Stalk ownership) at a time from any other user for the cost of gas.
The BIC determined that the impact of this issue is low given that roots cannot be redeemed for any underlying value and the costs of any form of an "attack" would not be profitable by a significant margin. Thus, the most applicable impact in scope is griefing and any "attack" related to this bug report would have an extremely low likelihood.
For these reasons, the BIC has determined that this bug report be rewarded 1,000 Beans.
- Potential practicable economic damage: N/A
- Impact: Medium — Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Entitled to reward: Yes
The init function on the following InitMint contract is called:
We propose 1,000 Beans are minted to the following address in order to pay the bounty to the whitehat:
We propose 100 Beans are minted to the following address in order to pay the 10% fee to Immunefi: