EBIP-5: Remove transferTokenFrom Function

Committed: November 14, 2022


Beanstalk Community Multisig

Emergency Process Note

Per the process outlined in the BCM Emergency Response Procedures, the BCM can take swift action to protect Beanstalk in the event of a bug or security vulnerability.

This bug was reported by a whitehat on Immunefi.


In transferTokenFrom(...), only the allowance for Farm (INTERNAL) balances from msg.sender was checked, not Circulating (EXTERNAL) balances. Therefore, anyone could successfully call the transferTokenFrom(...) function with EXTERNAL as fromMode, their own address as recipient and the address of a Farmer who had Circulating assets that were approved to be used by Beanstalk as sender.

Funds at Risk

As of writing on November 15, 2022, the total funds at risk due to this vulnerability was about $3,087,655 worth of assets. This could have decreased or increased at any time based on the assets Farmers had in their Circulating balance that they had approved Beanstalk to use, or the value of the tokens themselves fluctuating.

Notably, these were funds that were approved to be used by Beanstalk. The number of Beans at risk roughly equates to the value that could have been removed from the BEAN:3CRV liquidity pool.

All dollar values in the following table are estimates.

Token Tokens at risk Current value per token Value at risk
BEAN 537,582.5167 $1.0000 $537,582.52
WETH 14.19750283 $1,263.15 $17,933.58
3CRV 29.24003397 $1.0165 $29.72
DAI 7,215.315006 $0.9999 $7,214.59
USDC 2,519,374.833 $1.0001 $2,519,626.77
USDT 5,170.245591 $0.9992 $5,166.11
BEAN3CRV LP 0.4458259384 $1.00092* $0.45
urBEAN 7.257246 $0.0054** $0.04
urBEAN3CRV 18,909.8082 $0.0054** $102.11

*There's no liquid market for the BEAN3CRV LP token itself, so the current BDV is used to estimate the value.

**There's no liquid market for Unripe assets, so the Chop Penalty is used to estimate the value of these tokens.


Remove the transferTokenFrom(...) function until a fix can be sufficiently reviewed.

Contract Changes


The following TokenFacet is still part of Beanstalk:

The following functions are removed from TokenFacet:

Name Selector
transferTokenFrom(...) 0x7006e387


Effective immediately upon commit by the BCM, which has already happened.