Beanstalk

The following impacts are out of scope for this bug bounty program:

All Categories:

• Impacts related to attacks that the reporter has already exploited themselves, leading to damage;
• Impacts caused by attacks requiring access to leaked keys/credentials;
• Impacts caused by attacks requiring access to privileged addresses (owner address);
• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in the code;
• Impacts that involve frontrunning transactions, i.e., impacts that require users to send transactions through the public mempool;
• Mentions of secrets, access tokens, API keys, private keys, etc. in GitHub will be considered out of scope;
• Best practice recommendations;
• Feature requests; and
• Impacts on test and configuration files unless stated otherwise in the bug bounty program.

Smart Contract Specific:

• Incorrect data supplied by third party oracles;
  • Not to exclude oracle manipulation/flash loan attacks;
• Impacts requiring basic economic and governance attacks (e.g. 51% attack);
• Lack of liquidity impacts;
• Impacts from Sybil attacks; and
• Impacts involving centralization risks.

Websites and Apps

• Theoretical impacts without any proof or demonstration;
• Impacts involving attacks requiring physical access to the victim device;
• Impacts involving attacks requiring access to the local network of the victim;
• Any impacts involving self-XSS;
• Captcha bypass using OCR without impact demonstration;
• CSRF with no state modifying security impact (e.g. logout CSRF);
• Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”);
• Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces;
• Impacts caused by vulnerabilities requiring unprompted, in-app user actions that are not part of the normal app workflows;
• Impacts primarily caused by browser/plugin defects;
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.);
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass); and
• Any vulnerabilities inherent in hosting centralized infrastructure.

Prohibited Activities:

The following activities are prohibited by this bug bounty program and could result in disqualification of reception of a bounty, in the sole and absolute discretion of the BIC:

• Any testing on mainnet or public testnet deployed code; all testing should be done on local forks or private testnets;
• Any testing with pricing oracles or third-party smart contracts;
• Attempting phishing or other social engineering attacks against contributors and/or users;
• Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks);
• Any denial of service attacks;
• Automated testing of services that generates significant amounts of traffic; and
• Public disclosure of an unpatched vulnerability in an embargoed bounty.