BeethovenX

Introduction and Motivation

On January 5, 2024, going to the beets.fi website will provide a user with a warning if they are invested in a pool with a known vulnerability. The message reads: “You are invested in a pool with a known vulnerability. Please remove liquidity from the affected pool(s) immediately. Read more”

“Read more” links to the official Beethoven X Twitter which gives a message to check the Discord for a list of affected LPs.

The tweet displayed an outdated Discord link which in the meantime has been compromised.

Background

0xc74…ed2 discovered the compromised link when trying to view the the affected pools on the Beethoven discord. The server asked for verification but was really a transaction to transfer FTM as well as other tokens. Due to a sense of urgency to remove liquidity and the belief that the links were to and from a valid server, 0xc74…ed2 completed what was thought to be a verification signature.

TX: https://ftmscan.com/tx/0x37a2055311ba66bf53764e8c29b4a8f9eaf8564d2a0d0cc7bd2c87701f8fecc9

0xc74…ed2 found the official Discord server and reported the compromised link to franzns.

Tweets containing the outdated link have been removed as a precaution.

Proposal

This proposal, if adopted, will award 0xc74…ed2 a bug bounty for discovering and reporting the compromised link thereby preventing additional losses from future victims.

Bounty rationale Wide impact potential on users Prominent display on highly trafficked homepage Urgent message increases time pressure for users to act quickly to prevent loss of funds Vanity link from official Twitter account appears authoritative 0xc74…ed2 later helped identify other channels with the compromised link aiding in swift corrective action

Execution Plan

If approved, the Treasury will send the approved amount to an address of the bug reporter.