BIR-9: Beanstalk Subgraph Mitigatable DoS

Proposed: January 2, 2024

Status: Passed

Link: Snapshot


Beanstalk Immunefi Committee



An attacker can DoS attack the GraphQL endpoint that serves the Beanstalk Subgraph. DoS attacks on centralized infrastructure (the subgraph is currently hosted on a Hetzner server) are not entirely mitigatable, but the current cloud server settings can be improved to mitigate this issue. A DoS attack on the subgraph would render parts of the UI temporarily unusable.


Based on the bug bounty program, this submission's ( Website and Applications - High ) reward is based on a set of internal criteria established by the BIC (with a minimum reward of USD 1 000), primarily taking into account the exploitability of the bug, the impact it causes and likelihood of the vulnerability presenting itself.

The BIC determined that the impact of this issue is low given the minimal temporary downtime that would be caused by an attack. The report also describes a DDoS attack on the Beanstalk subgraph, not the UI hosted at, which can partially function without the subgraph.

Given this, the BIC has determined that this report qualifies for a reward of 1,000 Beans.

Beans Minted

The init function on the following InitMint contract is called:

We propose 1,000 Beans are minted to the following address in order to pay the bounty to the whitehat:

We propose 100 Beans are minted to the following address in order to pay the 10% fee to Immunefi: