BFBP-C-1: Bug Bounty Award to sync
Proposer
mod323
Proposal
Pay a bug bounty to sync for his discovery of an on-chain TWAP oracle issue that Beanstalk may become vulnerable to after the Ethereum Merge.
Rationale
sync reached out to Publius with a potential vulnerability. As a formal bug bounty program is not yet live, we have offered sync an unofficial bug bounty of 15,000 Beans for their efforts.
Vulnerability
After the Ethereum Merge occurs, multi-block MEV will be possible, allowing validators to manipulate TWAP oracles by moving the price orders of magnitude higher for at least 1 block in a risk free fashion by either adding 1-sided liquidity and/or buying all the Beans in the pool. For more information see here: https://chainsecurity.com/oracle-manipulation-after-merge/.
Beanstalk currently uses a time weighted average oracle over the course of an hour to calculate deltaB, which determines the amount of Beans or Soil to mint each Season. Thus, node operators will have the potential to manipulate the number of Beans/Soil minted during a Season as soon as the merge happens.
For more information on the problem and proposed solution, see the following links on GitHub:
- GitHub issue: https://github.com/BeanstalkFarms/Beanstalk/issues/91
- GitHub Pull Request: https://github.com/BeanstalkFarms/Beanstalk/pull/92
Payment
15,000 Beans
| Voter | Cast Power | Vote & Rationale |
|---|---|---|
 0xE5cA...F72fa0 | 1 | For |
 0xBDec...88c054 | 1 | For |
 0x1D5f...73067A | 1 | For |
VOTE POWER
Proposal Status
- Mon September 12 2022, 07:51 pmVoting Period Starts
- Sat September 17 2022, 07:51 pmEnd Voting Period
Current Results
1-For
3