Bug Bounties. Made Simple.
Cantina Bounties enables protocols to protect code in production by leveraging the best network of security researchers and the Cantina Code platform.
How it works
Best Talent
Access the best talent Web3 has to offer including direct access to thousands of researchers from industry-leading firms such as Spearbit.
Efficient Process
Cantina Code was built around bettering the client experience. Simply put — less spam, higher signal findings, and less overhead for you and your team.
Highest Signal
Through quality-gating mechanisms and LLM-based de-duplication, we reduce low-effort and spam submissions from overloading protocols.
Streamlined Submission and Evaluation Process
Cantina Code provides researchers with a comprehensive code review interface to easily submit findings and the swiftest time-to-reward across the industry.
Better Communication with Clients
No more forms. No more Discord. No more GitHub. Handle all communication simply and swiftly with protocol teams — all in Cantina Code.
Highest Quality Bounties
We believe in combining the best talent with the best reward structures to provide industry-leading bug bounties for industry-leading protocols.
Uniswap Labs / Uniswap
LiveThe Uniswap Protocol is a peer-to-peer system designed for the swapping of value. The Protocol is implemented as a set of persistent, non-upgradable smart contracts designed to function without the need for any intermediaries.
Scope
Contracts
The Program includes vulnerabilities and bugs in the latest deployed versions of the specified Uniswap contracts below, and commit b619b67
of the specified undeployed v4-core contracts. These files are found within the following GitHub repositories:
- V4 Core Contracts
- Universal Router Contract Code
- Permit2 Contract Code
- V3 Contract Code
- UniswapX Contract Code
- Uniswap Interface Code
However if you find a bug in a Uniswap smart contract outside of these repositories, where user funds are at risk, the team will consider the issue to be in-scope for our bounty as an Other Uniswap Contract Code (for purposes of payout eligibility). Additionally, we anticipate adding v4-periphery to the Program soon.
Websites
Other
- Public NPM packages in the @uniswap org
- The Uniswap Chrome Extension
- The Uniswap Mobile Application
Out of Scope
- V4 Periphery Contracts
- v4 hooks that were not developed by Uniswap Labs.
- Clickjacking (we do allow 3rd parties to iframe us)
- DDOS
- Bugs in third party code
- Dev branches that are not deployed in public packages or contracts
- Third party contracts that are not under the direct control of Uniswap Labs
- Issues already listed in the audits for the contracts above
- Bugs in third party contracts or applications that use Uniswap contracts
- Brute force attacks
- Rounding errors
- Cache-control header settings
- Extreme market turmoil vulnerability
- Gas optimization recommendations
- Task Hijacking (Strandhogg)
- Any vulnerability that is previously known by the Uniswap Labs team
Prohibited Actions
-
Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
-
Public disclosure of bugs without the written consent of the Uniswap Labs team.
-
Conflict of Interest: any individual who is or has ever been employed by Uniswap Labs may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question may not participate in the Bug Bounty
Disclosure
The vulnerability must not be disclosed publicly or to any other person, entity or email address before Uniswap Labs has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.
Eligibility
To be eligible for a reward under this Program, you must:
-
Discover a previously-unreported, non-public vulnerability that is not previously known by the Uniswap Labs team and is within the scope of this Program
-
Provide all KYC and other documents as requested
-
Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements.
-
Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
-
Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
-
Not publicize or exploit a vulnerability in any way, other than through private reporting to us
-
Refrain from any privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
-
Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
-
Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
-
Be at least the age of majority at the time of submission.
-
Not reside in a country under any trade or economic sanctions by the United States Treasury’s Office of Foreign Assets Control, or where the laws of the United States or local law prohibits participation.
-
Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.
-
Comply with all the rules of the Program, including but not limited to, refraining from engaging in any Prohibited Actions.
Rewards
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
1. Impact Assessment
The Program includes the following 4 level Impact severity scale:
Critical Impact:
- For smart contract code: An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 20%-100% of the total TVL across all chains supported by Uniswap Labs’ Web Interface (at app.uniswap.org).
- Issues that could impact numerous users and have serious reputational, legal or financial implications
High Impact:
- For smart contract code: An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 0.5%-20% of the total TVL across all chains supported by Uniswap Labs’ Web Interface (at app.uniswap.org).
- Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.
Medium Impact:
- Smaller losses (by stealing, wasting or permanently freezing) - impacting only individual users, or specific tokens, or specific chains.
Low/Informational Impact:
The issue does not pose an immediate risk but is relevant to security best practices.
Rewards will be given based on the above impact scale, combined with the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Uniswap Labs.
2. Likelihood Assessment
- High: Very likely to occur, either due to ease of execution or strong incentives that make it highly probable.
- Medium: Likely under specific conditions or scenarios, where incentives and feasibility make it reasonably expected.
- Low: Rare but conceivable, potentially occurring under extreme yet realistic market situations.
Payout Calculations
Select the payout amounts by which part of our product the bug is in. The Risk Score is calculated by combining the bug’s Impact and Likelihood using the Risk Classification Matrix above, to find the overall Risk of the bug.
The aggregate, maximum amount of Payouts for Uniswap v4 Contract Code is $44,400,000. All Payout amounts will be calculated based on the order in which the submission was received. The Program will be updated as appropriate to provide updates on Payout eligibility and amounts.
Uniswap v4 Contract Code
Scope:
- All contracts inside
src/
in thev4-core
, except those insidesrc/test/
Risk Score | Payout |
---|---|
Critical | $15,500,000 |
High | $1,000,000 |
Medium | $100,000 |
Low | Discretionary |
Other Uniswap Contract Code
Risk Score | Payout |
---|---|
Critical | $2,250,000 |
High | $500,000 |
Medium | $100,000 |
Low | Discretionary |
Uniswap Web Interface
This is for only the Uniswap Labs web application (app.uniswap.org)
Risk Score | Payout |
---|---|
Critical | $250,000 |
High | $50,000 |
Medium | $10,000 |
Low | Discretionary |
Uniswap Labs Other Websites
This is for websites that belong to Uniswap Labs, but do not involve potential wallet interactions.
Risk Score | Payout |
---|---|
Critical | $50,000 |
High | $10,000 |
Medium | $2,000 |
Low | Discretionary |
Uniswap Labs Backend
Risk Score | Payout |
---|---|
Critical | $50,000 |
High | $10,000 |
Medium | $2,000 |
Low | Discretionary |
Uniswap Mobile Wallet/Extension Wallet
Risk Score | Payout |
---|---|
Critical | $50,000 |
High | $10,000 |
Medium | $2,000 |
Low | Discretionary |
Other Terms
By submitting your report, you grant Uniswap Labs any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Uniswap Labs’ sole discretion. The terms and conditions of this Program may be altered at any time.
$15,500,000
Started on 26 Nov 2024
Euler / Euler-Bounty
LiveEuler V2 is a modular lending platform with two main components at launch: 1) the Euler Vault Kit (EVK), which empowers builders to deploy and chain together their own customised lending vaults in a permissionless manner; and 2) the Ethereum Vault Connector (EVC), a powerful, immutable, primitive which give vaults superpowers by allowing their use as collateral for other vaults. Together, the EVK and EVC provide the flexibility to build or recreate any type of pre-existing or future-state lending product inside the Euler ecosystem.
Euler Vault Kit:
The Euler Vault Kit is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools.
Ethereum Vault Connector
The Ethereum Vault Connector (EVC) is a foundational layer designed to facilitate the core functionality required for a lending market. It serves as a base building block for various protocols, providing a robust and flexible framework for developers to build upon. The EVC primarily mediates between vaults, contracts that implement the ERC-4626 interface and contain additional logic for interfacing with other vaults. The EVC not only provides a common base ecosystem but also reduces complexity in the core lending/borrowing contracts, allowing them to focus on their differentiating factors.
Euler Price Oracle:
Euler Price Oracle is a library of modular oracle adapters and components that implement IPriceOracle, an opinionated quote-based interface. It supports Chainlink, Chronicle, RedStone Core and Pyth through minimal, immutable adapter contracts. The EulerRouter component is a dispatcher contract that maintains a configuration of resolver oracles with an optional fallback. The router can price ERC4626 shares to assets through convertToAsset, making it a convenient entry point contract for EVK pricing.
Reward Streams:
Reward Streams is a powerful and flexible implementation of the billion-dollar algorithm, a popular method for proportional reward distribution in the Ethereum developer community. This project extends the algorithm's functionality to support both staking and staking-free (based on balance changes tracking) reward distribution, multiple reward tokens, and permissionless registration of reward distribution schemes (reward streams). This makes Reward Streams a versatile tool for incentivizing token staking and holding in a variety of use cases.
Fee Flow:
Fee Flow is an efficient, decentralized, and MEV-resistant mechanism designed to convert fee assets to a single token. It operates using a continuous auto-adjusting Dutch auction mechanism, providing a secure and optimized way to handle fee conversions in blockchain applications. This component helps streamline token economics by efficiently managing the flow of transaction fees across various assets.
Euler Earn:
Euler Earn is an open source protocol for permissionless risk curation on top of ERC4626 vaults (strategies). It functions as an ERC4626 vault itself, allowing risk curators to deploy vaults through its factory. Each vault supports one loan asset and can allocate deposits across multiple strategies. The protocol offers noncustodial, immutable instances that provide users with a streamlined way to supply liquidity and earn passive yield. While initially designed to integrate with the EVK vaults, Euler Earn can work with any ERC4626-compliant vault.
Eligibility
To qualify for a reward under this program, you must:
- Identify a previously unknown, non-public vulnerability that hasn't been reported before and is within the program's scope.
- Be the first to report the distinct vulnerability, adhering to the disclosure guidelines.
- Provide detailed information that allows our engineers to replicate and resolve the vulnerability.
- Avoid exploiting the vulnerability in any manner, including making it public or profiting from it (except for the program's reward).
- Report the vulnerability privately to us without public disclosure.
- Make every effort to prevent privacy breaches, data destruction, or interruption of the in-scope assets.
- Ensure the vulnerability isn't caused by an underlying issue that has already received a reward under this program.
- Refrain from any illegal activities when disclosing the bug, such as using threats or coercion.
- Be at least 18 years old or, if under 18, submit your finding with parental or guardian consent.
- Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
- Not be a current or former employee, or a vendor or contractor involved in the code's development of the reported bug.
- Adhere to all the program's eligibility requirements.
Scope
This bug bounty focuses on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray()
function of the following default perspectives:
- Escrowed Collateral Perspective
- Euler Ungoverned 0x Perspective
- Governed Perspective
- Euler Ungoverned nzx Perspective
- Euler Earn Governed Perspective
Network Addresses
For the most up-to-date deployment addresses across various networks, please refer to the Euler Docs Contract Addresses. This website serves as the central source of truth for all network-specific addresses.
Steps for Security Researchers
- Access the Documentation: Visit the Euler Docs Contract Addresses to view all available network tabs.
- Identify Relevant Networks: Explore the tabs to identify the addresses that fall within the scope of the bug bounty.
- Stay Updated: Regularly check the website for new network additions, as they are automatically included in the bounty scope.
This approach allows us to ensure that security researchers have access to the most current network addresses that are in scope and can adapt to new deployments as they occur.
Example: Ethereum Mainnet
For Ethereum Mainnet, the addresses are detailed in the Ethereum Mainnet Tab Euler Docs Contract Addresses. Key addresses include:
- Escrowed Collateral Perspective: 0x4e58BBEa423c4B9A2Fc7b8E58F5499f9927fADdE
- Euler Ungoverned 0x Perspective: 0xb50a07C2B0F128Faa065bD18Ea2091F5da5e7FbF
- Euler Ungoverned nzx Perspective: 0x600bBe1D0759F380Fea72B2e9B2B6DCb4A21B507
- Governed Perspective: 0xC0121817FF224a018840e4D15a864747d36e6Eb2
- Euler Earn Governed Perspective: 0x747a726736DDBE6210B9d7187b3479DC5705165E
- Fee Flow: 0xFcd3Db06EA814eB21C84304fC7F90798C00D1e32
- Balance Tracker (Reward Streams): 0x0D52d06ceB8Dcdeeb40Cfd9f17489B350dD7F8a3
Repositories in Scope
Only the contracts in the master/main branch of the following repositories that the above DEPLOYED vaults directly rely on are in scope:
Note: - For Ethereum Mainnet and Base please refer to this commit deployment Euler Vault Kit Mainnet/Base and for any other network Euler Vault Kit
Websites in Scope
- Only the following site is in scope https://app.euler.finance
Severity Definitions
Smart Contracts Severity Levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | High | High | Medium |
Likelihood:medium | High | Medium | - |
Likelihood:low | Medium | - | - |
High: These can drastically affect many users and result in major reputational, legal, or financial damage. Examples include the ability to permanently lock contracts or withdraw funds from all users. These could also mean broken core functionality.
Medium: These may result in loss of funds for users but under certain conditions and are not easy to perform. Also the reward to cost ratio is not large enough but still need to be fixed. Breaking of functionality or resulting in a DOS of funds for users
Website Severity Levels
High
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
Rewards
Core Components Rewards
These rewards apply to vulnerabilities found in the core components of Euler V2 (EVC, EVK, EPO). The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray()
function of the perspective contracts (Escrowed Collateral, Ungoverned 0x, Ungoverned nzx, and Governed).
Severity Level | Reward |
---|---|
High | $5,000,000.00 |
Medium | $200,000.00 |
Core Components Reward Levels
- High: Up to $5,000,000.00 USD, minimum payout $200,000.00 USD
- First $2,500,000.00 paid in USDC
- Next $2,500,000.00 paid in rEUL
- Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD
Notes:
- Rewards are calculated as 10% of their economic impact.
- The team may adjust the program after a high-severity payout to ensure sustainability.
- rEUL token is valued using a retrospective 30-day volume-weighted average price (TWAP) of EUL on CoinMarketCap from the date of the disclosure.
Examples:
- A $1,250,000.00 reward would be paid entirely in USDC.
- A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL
Boosted Rewards for Usual Stability Loan Vaults
If a vulnerability qualifies for the Euler Core Components Rewards and also affects the Usual Stability Loan (USL) vaults, Usual have generously offered to increase the reward by an additional $2.5 million in USUAL tokens. This brings the total potential reward to $7.5 million.
Vaults included
The USL vaults on Ethereum Mainnet:
Severity Level | Reward |
---|---|
High | $7,500,000.00 |
Medium | $200,000.00 |
Core Components Reward Levels
- High: Up to $7,500,000.00 USD, minimum payout $200,000.00 USD
- First $2,500,000.00 paid in USDC
- Next $2,500,000.00 paid in rEUL
- Next $2,500,000.00 paid in USUAL
- Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD
Notes:
- Rewards are calculated as 10% of their economic impact.
- The team may adjust the program after a high-severity payout to ensure sustainability.
- Any rEUL or USUAL tokens will be priced using their respective retrospective 30-day volume-weighted TWAPs on CoinMarketCap from the date of the disclosure.
Examples:
- A $1,250,000.00 reward would be paid entirely in USDC.
- A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL
- A $5,500,000.00 reward would be paid as $2,500,000.00 in USDC and $2,500,000.00 in rEUL and $500,000.00 in USUAL
Supporting Components Rewards
These rewards apply to vulnerabilities found in Fee Flow and Reward Streams officially deployed by Euler.
Severity Level | Reward |
---|---|
High | $100,000.00 |
Medium | $25,000.00 |
Supporting Components Reward Levels
- High: Up to $100,000.00 USD, minimum payout $25,000.00 USD
- Medium: Up to $25,000.00 USD, minimum payout $5,000.00 USD
Notes:
- Rewards are calculated as 10% of their economic impact.
- The team may adjust the program after a high-severity payout to ensure sustainability.
Euler Earn Rewards
These rewards apply specifically to vulnerabilities found in the Euler Earn protocol. The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray()
function of the Euler Earn Governed Perspective.
Severity Level | Reward |
---|---|
High | $500,000.00 |
Medium | $100,000.00 |
Euler Earn Reward Levels
- High: Up to $500,000.00 USD, minimum payout $100,000.00 USD
- Medium: Up to $100,000.00 USD, minimum payout $25,000.00 USD
Notes:
- Rewards are calculated as 10% of their economic impact.
- The team may adjust the program after a high-severity payout to ensure sustainability.
Rewards for Web Interface Bugs
Severity Level | Reward |
---|---|
Critical | $25,000.00 |
High | $5,000.00 |
Medium | $1,000.00 |
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Out of Scope
Contracts
Any previous issue marked as acknowledged/will not fix is not in scope to be reported again. If there has been a fix implemented, the fixed code can be treated as in scope.
- Issues described in our documentation: in-code comments, in the README and in the whitepapers.
- Issues found in previous security reviews
- Issues found in development branches
- Issues related to deploy scripts or tests
- Third party integrations not functioning as advertised
- Issues related to potentially malicious actions taken by Euler DAO controlled entities are considered out of scope as they are assumed to be trusted
- Issues related to mistakes made by governors/deployers when configuring vaults or price oracles:
- The issue will be considered out of scope if it involves a user or vault actively opting to use something created or controlled by the untrusted actor
- Issues related to chain re-orgs and network liveness
- Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
- Issues related to non-standard tokens and their behaviors (i.e. weird-tokens)
- Incorrect hardcoded addresses would be considered low, unless there is a direct loss of funds on deployment from using them.
Euler Price Oracle-Specific
- We are aware that some Price Oracles are not compatible with all networks. For example, RedstoneCoreOracle and LidoOracle only work on Ethereum.
- Issues related to misconfiguration in the constructors, including but not limited to zero addresses, wrong base/quote tokens and invalid decimals.
- Issues related to a malicious/compromised governor in EulerRouter.
- Issues related to misconfiguration in EulerRouter, including but not limited to resolving ERC4626 vaults with insecure convertToAssets method.
- Issues related to overflows and other math errors must have a demonstrable impact with a concrete scenario.
- Issues related to censorship / frontrunning users that interact with Pyth and RedStone. We expect users to interact with the EVC or another multicall-like contract to update the price and retrieve it in a single call.
- Issues related to using non-crypto price feeds in oracle adapters, including but not limited to Stocks feeds, ETF feeds, Forex feeds and any other feeds that have working hours.
- Issues stemming from sequencer downtime on L2s, including but not limited to inexistent sequencer liveness checks.
- Issues stemming from liveness and catastrophic bugs or malicious behaviour in the integrated oracles, including but not limited to Chainlink upgrades, Chronicle caller whitelist, RedStone signers rotating, Pyth downtime due to Wormhole. By using an oracle users choose to accept those trust assumptions.
- Accurate and manipulation-resistant asset pricing is the responsibility of the vault governor. Such issues are not eligible for an Euler bug bounty unless they involve critical flaws in Euler-specific code. Therefore, issues related to pricing on a specific vault—such as exchange-rate manipulation through donation attacks or spot price manipulation—are considered out of scope.
Website-Specific
- Non-security-related bugs such as performance issues or UI glitches.
- Clickjacking on pages with no sensitive actions.
- CSRF vulnerabilities on forms with no sensitive actions.
- Reports from automated tools without a working proof of concept.
- Denial of Service (DoS) attacks.
- Content spoofing and text injection without an attack vector.
- Rate limiting or brute force attacks on non-sensitive endpoints.
- Vulnerabilities in third-party services or dependencies.
- Software version disclosure
- Flaws affecting out-of-date browsers and plugins
- Self XSS
- SSL/TLS issues, such as weak ciphers or BEAST attacks, without a demonstrable impact.
- Cloudflare resources such as /cdn-cgi/ are out of scope w/o demonstrable impact
The following activities and vulnerability types are considered out of scope for this bug bounty program and strictly forbidden:
Physical attacks against our employees, offices, or data centers Social engineering attacks against our employees or users Vulnerabilities in applications or systems not owned by us Vulnerabilities requiring physical access to a user's device Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
System Roles and Privileges
- Euler DAO: This entity manages the upgrade admin role in GenericFactory (if not revoked) and the admin role in ProtocolConfig.
- Euler Labs: This entity manages oracle adapter registry, the external vaults registry and the IRM registry and well as other day-to-day operations of the protocol.
- Vault creators/governors: Anyone can create a vault and optionally retain governance control over it. Governors are responsible for securely configuring their own vaults, and for selecting suitable vaults to use as collateral.
- EulerRouter governors: These users are responsible for maintaining the pricing sources used by the vaults.
- Synth owners/minters: These users should be considered trusted in the context of managing the synthetic asset and its distribution.
- Regular users: Any other user is considered untrusted.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with or who has ever worked with the Project Entity cannot participate in the Bug Bounty.
- With the exception that former external contractors, specifically Security Auditors/Researchers, are eligible for findings on Core Components(EVK, EVC, and EPO). Current employees, former employees, and contractors with active engagements remain excluded. Euler reserves the right to determine if there is a conflict of interest on a case-by-case basis.
Testing Guidelines
To ensure safe and responsible testing:
- Use only your own accounts or test accounts for testing.
- Do not attempt to access, modify, or destroy data that does not belong to you.
- Be mindful of testing that might impact system availability or integrity.
- Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.
If you're unsure whether a specific test is allowed, please contact us before proceeding.
7,500,000 USDC + rEUL + USUAL
Started on 21 Aug 2024
Morpho / Morpho
LiveMorpho Blue is an immutable overcollateralized lending protocol with permissionless market creation. It implements independent lending markets, which are simple lending pools with only one collateral asset and one borrowable asset, priced through an oracle. The interest rate is given by an immutable interest rate model (IRM). Each pool is characterized by a predefined Liquidation Loan-to-Value (LLTV). Markets can be created by anyone with any ERC20 assets and oracles, with an LLTV and IRM chosen in a set predefined by governance.
MetaMorpho is a protocol for permissionless lending vaults built on top of the Morpho Blue protocol. Additionally, the Morpho Blue periphery contracts are smart contracts part of the Morpho Blue ecosystem such as MetaMorpho, a protocol for permissionless lending vaults on top of the Morpho Blue protocol.
Morpho Optimizer is a Peer-to-Peer layer on top of lending pools like Compound or Aave. Rates are seamlessly improved for both suppliers and borrowers whilst preserving the same liquidity and liquidation guarantees. In short, Compound Optimizer is an upgraded version of Compound, Aave Optmizers are upgraded version of Aave.
For more information about Morpho, please visit https://morpho.org/ Morpho provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Severity and Reward levels below.
Scope
WepApps in scope:
- https://app.morpho.org/
- https://aavev2.morpho.org/
- https://aavev3.morpho.org/
- https://compound.morpho.org/
Smart Contracts in Scope
Morpho Blue
Morpho Blue
MetaMorpho
Name (address link) | Repo |
---|---|
MetaMorpho Factory | github.com/morpho-org/metamorpho |
Public Allocator | github.com/morpho-org/public-allocator |
Metamorpho v1.1 | github.com/morpho-org/metamorpho-v1.1 |
Rewards
Bundlers
Bundler3
Morpho Optimizers
All the above contracts and their versions on the following chains are also included in the scope:
- Ethereum Mainnet
- Base
- Arbitrum
- Fraxtal
- Ink
- OP Mainnet
- PolygonPOS
- Scroll
- WorldChain
- Unichain
- Sonic
- Hemi
- Mode
- Corn
Please find the relevant addresses listed here: https://docs.morpho.org/addresses/
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | - |
Likelihood:medium | High | - | - |
Likelihood:low | - | - | - |
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount |
---|---|
Critical | $2,500,000 |
High | $50,000 |
Reward Levels
-
Critical:
- Morpho Blue contracts:
- Up to
$2,500,000
, minimum payout$250,000
- Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Up to
- MetaMorpho and other Morpho Blue periphery contracts:
- Up to
$1,500,000
, minimum payout$150,000
- Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Up to
- Morpho’s Optimizer contracts:
- Upto
$555,000
, minimum payout$55,000
- Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
- Upto
- Morpho Blue contracts:
-
High:
-
Up to
$50,000
, minimum payout$10,000
-
In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Rewards for Website and Application Bugs
Severity | Reward Amount |
---|---|
Critical | $50,000 |
High | $5,000 |
- Critical:
- Morpho Blue (app.morpho.org)
- Up to
$50,000
, Minimum payout$10,000
- Max payout of
$50,000
applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds - All other impacts would be capped at
$10,000
for critical severity
- Max payout of
- Up to
- All other apps
- Up to
$10,000
, Minimum payout$5,000
- Max payout of
$10,000
applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds - All other impacts would be capped at
$5,000
for critical severity
- Max payout of
- Up to
- Morpho Blue (app.morpho.org)
Out of Scope (all repositories)
Known Issues
Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.
- https://github.com/morpho-org/morpho-blue
- https://github.com/morpho-org/morpho-blue-irm
- https://github.com/morpho-org/morpho-blue-oracles
- https://github.com/morpho-org/metamorpho
- https://github.com/morpho-org/universal-rewards-distributor
- https://github.com/morpho-org/public-allocator
- https://github.com/morpho-org/morpho-blue-bundlers
- https://github.com/morpho-org/bundler3
- https://github.com/morpho-org/metamorpho-v1.1
- https://github.com/morpho-org/pre-liquidation
Previous Audits:
Morpho’s completed audit reports can be found at:
- https://docs.morpho.org/security-reviews/. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol. For example, the ability to deploy permissionless pools.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
- Someone can repay on behalf of Morpho.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Some contracts are not set yet (eg: IncentivesVault).
- Manipulation of the matching engine. Here are some examples:
- Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
- Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
All other issues acknowledged in the audits in this repo:
Eligibility:
To participate in this program, security researchers must comply with the rules of engagement and must not:
- Be listed on OFAC's SDN list
- Have been an official contributor, either past or present
- Be employees or individuals closely associated with the project
- Be security auditors who directly or indirectly participated in the audit review
Morpho will require KYC information for processing payments on successful bug submissions. The following details must be provided:
- Full name
- Date of birth
- A copy of your passport or other government-issued ID
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.
$2,500,000
Started on 27 Mar 2024
Pendle Finance / Pendle Bounty
LivePendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.
Further resources regarding the Pendle can be found at pendle.finance
The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.
Contracts in Scope
Network: Mainnet Ethereum
Target URL | Type |
---|---|
Explorer Link | router |
Explorer Link | ActionAddRemoveLiqV3 |
Explorer Link | ActionSwapPTV3 |
Explorer Link | ActionSwapYTV3 |
Explorer Link | ActionMiscV3 |
Explorer Link | ActionCallbackV3 |
Explorer Link | ActionStorageV4 |
Explorer Link | pendleSwap |
Explorer Link | ptAndLpOracle |
Explorer Link | yieldContractFactoryV3 |
Explorer Link | marketFactoryV3 |
Explorer Link | limitRouter |
Explorer Link | vePendle |
Explorer Link | senderEndpoint |
Explorer Link | votingController |
Explorer Link | gaugeController |
Explorer Link | feeDistributorV2 |
Network: Arbitrum
Target URL | Type |
---|---|
Explorer Link | router |
Explorer Link | ActionAddRemoveLiqV3 |
Explorer Link | ActionSwapPTV3 |
Explorer Link | ActionSwapYTV3 |
Explorer Link | ActionMiscV3 |
Explorer Link | ActionCallbackV3 |
Explorer Link | ActionStorageV4 |
Explorer Link | pendleSwap |
Explorer Link | ptAndLpOracle |
Explorer Link | yieldContractFactoryV3 |
Explorer Link | marketFactoryV3 |
Explorer Link | limitRouter |
Explorer Link | receiverEndpoint |
Explorer Link | vePendle |
Explorer Link | gaugeController |
Explorer Link | arbMerkleDistribution |
Network: Optimism
Target URL | Type |
---|---|
Explorer Link | router |
Explorer Link | ActionAddRemoveLiqV3 |
Explorer Link | ActionSwapPTV3 |
Explorer Link | ActionSwapYTV3 |
Explorer Link | ActionMiscV3 |
Explorer Link | ActionCallbackV3 |
Explorer Link | ActionStorageV4 |
Explorer Link | pendleSwap |
Explorer Link | ptAndLpOracle |
Explorer Link | yieldContractFactoryV3 |
Explorer Link | marketFactoryV3 |
Explorer Link | limitRouter |
Explorer Link | receiverEndpoint |
Explorer Link | vePendle |
Explorer Link | gaugeController |
Network: Binance Smart Chain
Target URL | Type |
---|---|
Explorer Link | router |
Explorer Link | ActionAddRemoveLiqV3 |
Explorer Link | ActionSwapPTV3 |
Explorer Link | ActionSwapYTV3 |
Explorer Link | ActionMiscV3 |
Explorer Link | ActionCallbackV3 |
Explorer Link | ActionStorageV4 |
Explorer Link | pendleSwap |
Explorer Link | ptAndLpOracle |
Explorer Link | yieldContractFactoryV3 |
Explorer Link | marketFactoryV3 |
Explorer Link | limitRouter |
Explorer Link | receiverEndpoint |
Explorer Link | vePendle |
Explorer Link | gaugeController |
Network: Mantle
Target URL | Type |
---|---|
Explorer Link | router |
Explorer Link | ActionAddRemoveLiqV3 |
Explorer Link | ActionSwapPTV3 |
Explorer Link | ActionSwapYTV3 |
Explorer Link | ActionMiscV3 |
Explorer Link | ActionCallbackV3 |
Explorer Link | ActionStorageV4 |
Explorer Link | pendleSwap |
Explorer Link | ptAndLpOracle |
Explorer Link | yieldContractFactoryV3 |
Explorer Link | marketFactoryV3 |
Explorer Link | limitRouter |
Explorer Link | receiverEndpoint |
Explorer Link | vePendle |
Explorer Link | gaugeController |
Additional scope:
All StandardizedYieldToken
, PendlePrincipalToken
, PendleYieldToken
, PendleYieldTokenV2
, and PendleMarket
contracts of assets listed under the links below are in scope. Note that each asset will have a different SY but the same PT, YT, and Market.
Award Levels
Rewards are capped at 10% of economic impact.
- Very Critical: Up to $2,000,000 USD, minimum payout $200,000 USD
- Critical: Up to $1,000,000 USD, minimum payout $100,000 USD
- High: Up to $100,000 USD, minimum payout $20,000 USD
- Medium: Up to $20,000 USD
- Below Medium: To be awarded at the discretion of Pendle Finance
Severity Definitions
For manipulation that can steal/freeze users' funds (excluding unclaimed yield)
Likelihood/Impact | >10% TVL | 1-10% TVL | < 1% TVL |
---|---|---|---|
High | Very Critical | Critical | High or Critical |
Medium | Critical | High or Critical | High |
Low | High or Critical | High | Medium |
For other manipulation
The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.
Likelihood/Impact | Significant | Moderate | Minimal |
---|---|---|---|
High | High or Critical | High | Medium |
Medium | High | Medium | Below Medium |
Low | Medium | Below Medium | Below Medium |
Out of Scope (all repositories)
If an issue is discovered and is not from the files listed as In Scope above, security researchers are encouraged to report the finding. Awards for out of scope issues to be determined at the discretion of Pendle Finance.
The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.
Known Public Issues
Known issues from previous security reviews are considered out of scope.
- pendle-core-v2-public/audits are considered as out-of-scope.
Known but not Public Issues
Are considered out of scope.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
$2,000,000
Started on 14 Jun 2024
Kiln / Kiln V1 Bounty
LiveKiln On-Chain (v1) enables non-custodial platforms to propose an ETH staking offer where users can stake on dedicated validators while remaining the only one able to access their staked assets. The goal of these Ethereum Smart Contracts is to enable:
- Operator to register its validation keys deposit data on the Smart Contract
- Users to deposit on approved and available validation keys
- Manage the Execution and Consensus Layer rewards and exited ETH
- Perform the commission dispatching on these ETH when user performs a withdrawal action
This Bug Bounty is focused on the Staking Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope.
For more information about Kiln On-Chain, please visit https://www.kiln.fi/ Kiln provides rewards in USDC. For more details about the payment process, please view the Rewards & Severity Levels below
Smart Contracts in Scope
All code of Kiln can be found at
Documentation for the assets provided in the table can be found at
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | Medium |
Likelihood:medium | High | Medium | - |
Likelihood:low | Medium | - | - |
Critical: - Complete loss of funds or permanent freezing of funds
High: - Theft of unclaimed yield, commission/fees or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).
Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption
A PoC is required for the following severity levels:
- Smart Contract:
- Critical
- High
- Medium
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount |
---|---|
Critical | $1,000,000 |
High | $100,000 |
Medium | $20,000 |
Reward Levels
-
Critical: Upto 1,000,000, Minumum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided
-
High: Upto 100,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.
-
The bug bounty will have a hard cap of $1,500,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.
Out of Scope
These impacts are out of scope for this bug bounty program. General:
- Consequences resulting from exploits the reporter has already carried out, which lead to damage.
- Issues caused by attacks that require access to leaked keys or credentials.
- Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
- Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
- References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.
Smart Contracts:
- Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
- Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
- Problems related to insufficient liquidity.
- Issues stemming from Sybil attacks.
- Concerns involving risks of centralization.
- Suggestions for best practices.
Roles:
- Operator, Admin and Proxy Admin are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.
Known Issues
Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Disclosure
Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:
- Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
- Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
- During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
- After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
- The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
- If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.
KYC
The following information is required for payments:
- If the claim comes from an individual:
- The first names, surnames, date and place of birth of the person concerned
- A Valid ID
- If the claim comes from a business:
- Legal form, name, registration number and address of the registered office
- Valid certificate of incorporation
- List of shareholders/directors
- The first names, surnames, date and place of birth of the person concerned
Eligibility
Security researchers who fall under any of the following are ineligible for a reward
- Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Any denial of service attacks that are executed against project assets
- Automated testing of services that results in a denial of service
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Attempting phishing or other social engineering attacks against our employees and/or customers
$1,000,000
Started on 9 Sep 2024
LI.FI / lifi-contracts-bounty
LiveLI.FI is a cross-chain aggregation protocol that combines multiple bridges and DEXs to enable seamless asset transfers between different blockchains. The protocol uses a diamond pattern (eip-2535) smart contract architecture where a main contract delegates calls to specialized facet contracts that handle specific bridge and DEX integrations. It simplifies cross-chain transfers for both developers and users by providing a single unified solution instead of requiring individual bridge integrations.
Scope
In-Scope Targets:
-
Smart Contracts:
- Repository: https://github.com/lifinance/contracts
- Commit: Latest commit
- Files: src/*
-
Website:
-
WebApp:
- portal.li.fi
- li.quest(api)
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
-
Bridge-Specific Exclusions and DEX Aggregation Exclusions
-
Relayer Latency: Issues related to bridge transaction confirmation times without security impact
-
Bridge Fee Fluctuations: Economic concerns about variable bridge fees
-
Cross-Chain Reorg Scenarios: Theoretical concerns requiring deep blockchain reorganizations
-
Bridge Liquidity Limitations: Reports about insufficient liquidity on specific chains
-
Oracle Price Delays: Standard delays in price feeds without demonstration of exploitation
-
Slippage Within Tolerance: Expected price impacts within user-specified slippage limits
-
MEV and Front-Running: Standard front-running that's inherent to public blockchains
-
Route Optimization Suggestions: Reports suggesting better routing algorithms without security impact
-
Gas Optimizations: Suggestions for reducing gas costs without security implications
-
DEX Availability Issues: Temporary unavailability of specific integrated DEXes
-
-
Smart Contract Technical Exclusions
- Centralization By Design: Admin control features that are documented and intentional
- Non-Exploitable Reentrancy: Reentrancy patterns with proper safeguards in place
- Flash Loan Attacks: Without proof of impact under realistic market conditions
- Upgradeability Concerns: Issues inherent to our documented upgradeability pattern
- Governance Attacks: Requiring unrealistic token accumulation (>10% of total supply)
- Known & Acknowledged Issues: Any issue previously reported in an audit and acknowledged by the LI.FI team (find previous audit reports here)
- Self-Crafted Calldata Risks: Our contracts are designed to be used with calldata generated by our backend. Any issues resulting from manually crafted calldata are out of scope, as such calldata may bypass protocol-level safety checks intentionally excluded for gas optimization.
- Idle Fund Access in LiFiDiamond: The LiFiDiamond contract is not meant to hold funds. Crafting calldata to move or steal residual funds or dust is expected behavior and not a protocol vulnerability.
- Cross-EVM Address Mismatch: Certain EVMs (e.g., zkEVMs) may produce different contract addresses. If this leads to issues not affecting production contracts and not triggered by backend-generated calldata, they are out of scope.
- Deprecated Contracts: Anything located in the
/archive
folder is considered deprecated and out of scope. - Automated Findings by Lightchaser: Findings from this list are excluded unless otherwise validated by the team.
- Duplicate Vulnerability Reports: Any vulnerability previously known and acknowledged by the LI.FI team
- Atomic Transaction Reverts: Failures of individual swap or bridge steps within multi-step transactions are expected and revert the full transaction by design — this is not a vulnerability.
- Precision & Dust Reverts in Integrations: Minor dust-related issues or precision mismatches causing reverts (e.g., underflows, insufficient input amounts) due to external DEX behavior are considered known limitations and out of scope.
-
Out of Scope / Invalid Reports
- Third-Party Protocol Issues: Bugs in third party code are out of scope
- Known Issues: Vulnerabilities listed in our documentation as "Known Issues"
- Test Code Vulnerabilities: Issues in non-production test code
- User Error Scenarios: Vulnerabilities requiring users to input obviously incorrect parameters
- Theoretical Exploits: Attack scenarios without practical proof-of-concept
- Known Issues Under Remediation: Vulnerabilities that have already been identified or are in the process of being fixed.
-
WebApp & Website Exclusions The following vulnerability types are explicitly excluded from the bug bounty program:
-
Client-Side Static Injections: Vulnerabilities that require modifying client-side code via browser developer tools or similar methods are not considered valid submissions.
-
Self-XSS Requiring Browser Console: Attacks requiring the victim to paste malicious code into their browser console are excluded.
-
OR-Based Injection Techniques: SQL injections or similar attacks that rely solely on logical OR operators without demonstrating actual data extraction or manipulation.
-
Theoretical Vulnerabilities: Issues that cannot be demonstrated with a practical proof of concept.
-
Rate Limiting Bypass through Multiple IPs: Using multiple IP addresses to circumvent rate limiting is not considered a valid vulnerability.
-
Missing Security Headers: Reports solely about missing security headers without demonstrating an actual exploit will not be accepted.
-
Social Engineering Required: Vulnerabilities requiring substantial social engineering to exploit are excluded.
-
Unvalidated Reports from Automated Tools: Findings from automated scanning tools without manual verification and exploitation proof.
-
Attacks Requiring Physical Access: Any attack that requires physical access to a user's device.
-
Clickjacking Using Iframes: Vulnerabilities related to framing the application within iframes (clickjacking) are excluded as these are addressed by our security headers and Content Security Policy.
-
Zero-day issues are not valid for five days after the CVE is publicly disclosed.
-
-
Documentation/Minor Issues
- Documentation Discrepancies: Without security impact
- Missing Events: Lack of event emissions that don't impact security
- Missing Zero-Address Checks: Unless they lead to permanent fund loss
- Missing Input Validation: For non-critical parameters
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.- We can setup a test environment upon request.
-
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by LI.FI, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
The report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must meet the following requirements:
-
Vulnerability Requirements
- Discover Original Vulnerabilities: Submit previously unreported, in-scope vulnerabilities that aren't publicly known.
- First Reporter Advantage: Be the first to report a specific vulnerability through proper channels.
- Provide Clear Reproduction Steps: Include detailed information allowing our team to verify and fix the issue.
- Responsible Disclosure: Report privately without public disclosure or exploitation for personal gain.
- Minimize Impact: Take reasonable precautions to avoid data loss, privacy violations, or service disruptions.
-
Researcher Requirements
- No Duplicate Rewards: The vulnerability must not stem from an issue that has already received a bounty.
- Legal Compliance: Use only legal methods when identifying and reporting vulnerabilities. Threats or coercion will disqualify submissions.
- Age Requirement: Be at least 18 years old, or have parental/guardian consent if younger.
- Sanctions Compliance: Not be subject to OFAC sanctions or reside in countries under OFAC embargo.
- No Conflicts of Interest: Not be a current/former employee, vendor, or contractor who worked on the vulnerable code.
- Program Compliance: Follow all program rules and guidelines as detailed in our documentation.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions for Smart Contracts:
- Critical:
- An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 50%-100% of the daily total user transfers across all EVM chains supported by LI.FI.
- Governance
- High:
- An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 20%-50% of the daily total user transfers across all EVM chains supported by LI.FI.
- Medium:
- An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 0.5%-20% of the daily total user transfers across all EVM chains supported by LI.FI.
- Issues that could impact numerous users and have serious reputational, legal or financial implications
- Low/Informational:
- Minimal direct risk but may indicate areas for improvement.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires very specific conditions.
Impact Definitions for WebApp and Website:
Critical
- For Website
- Remote code execution (RCE) on production servers
- SQL injection leading to full database access
- Authentication bypass allowing unrestricted access to admin functionality
- Ability to access, modify, or delete other users' data without authorization
- Stored cross-site scripting (XSS) in high-traffic areas affecting multiple users
- Session fixation/hijacking allowing complete account takeover
- CSRF vulnerabilities that can change critical account settings or perform privileged actions
- Vulnerabilities exposing PII (personally identifiable information) of multiple users
- Insecure direct object references (IDOR) affecting sensitive data
- Upload functionality allowing execution of malicious files
- WebApp
- Authentication bypass allowing unrestricted API access
- Authorization flaws allowing access to other users' data or functionality
- Injection vulnerabilities (SQL, NoSQL, etc.) with significant data exposure
- Broken access controls leading to privilege escalation
- API keys or secrets exposure in responses
- Rate limiting bypass that could lead to service disruption
- Business logic flaws allowing unlimited resource consumption
- Insecure deserialization vulnerabilities
- Server-side request forgery (SSRF) with access to internal systems
- Side-channel attacks revealing encryption keys or sensitive data
High Impact
-
Website
- Stored XSS in less critical areas
- Reflected XSS requiring minimal user interaction
- CSRF vulnerabilities affecting important but non-critical functions
- Open redirects with potential for sophisticated phishing
- Username/email enumeration combined with weak rate limiting on login
- Insecure password reset functionality
- Web Cache poisoning leading to injection of malicious code
- Clickjacking vulnerabilities on sensitive functions
- Unvalidated redirects to malicious sites
- Moderate information disclosure of system information
-
WebApp
- Improper input validation leading to unexpected behavior
- Insecure implementation of API authentication
- Missing function-level authorization checks
- Excessive data exposure in API responses
- Improper asset management (unpatched/outdated API endpoints)
- Mass assignment vulnerabilities
- Unprotected admin functionality
- Web Cache poisoning leading to injection of malicious code
- Sensitive operation without requiring re-authentication
- Insecure default configurations
Medium Impact
- Website
- DOM-based XSS requiring complex user interaction
- Reflected XSS with limited impact
- CSRF in non-sensitive functions
- Clickjacking on non-sensitive pages
- Missing security headers (CSP, X-Frame-Options, etc.)
- Weak password policies
- Username/email enumeration
- Web Cache poisoning leading to significant user disruption
- Overly verbose error messages revealing implementation details
- Insecure cookie settings (missing Secure/HttpOnly flags)
- Mixed content warnings
- WebApp
- Lack of proper HTTPS implementation
- Missing rate limiting on non-critical endpoints
- Verbose error messages revealing implementation details
- Inconsistent authorization checks
- Web Cache poisoning leading to significant user disruption
- API versioning issues causing backward compatibility problems
- Response manipulation weaknesses
- HTTP method overriding issues
Low Impact
-
Website
- Self-XSS (requiring significant user interaction)
- Cross-site request forgery (CSRF) on non-sensitive actions
- Minor client-side security issues with limited impact
- Minor information disclosure (versions, technology stack)
- Missing but non-critical security headers
- Expired SSL/TLS certificates
- Lack of DNSSEC
- Lack of HTTP Strict Transport Security (HSTS)
- Minor issues with content security policy
-
WebApp
- Lack of API documentation
- Lack of security-related HTTP headers
- Unnecessary HTTP methods enabled
- Improper caching configurations
- Verbose API error codes
- Outdated API versions still accessible but not used
- Disclosure of non-sensitive server information
- Missing MIME type checking with limited security impact
- Lack of HTTP security headers on API responses
- Suboptimal implementation of rate limiting
- Insufficient logging of security events
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires very specific conditions.
Payout Guidelines
- Core Smart Contract Code
Risk Score | Payout Range |
---|---|
Critical | $100,000 to $1,000,000 |
High | $10,000 to $100,000 |
Medium | $5,000 to $10,000 |
Low | Discretionary |
Rewards are capped at 10% of the funds impacted
- WebApp:
Risk Score | Payout Range |
---|---|
Critical | $10,000 to $25,000 |
High | $1,000 to $10,000 |
Medium | $500 to $1,000 |
Low | Discretionary |
- Website:
Risk Score | Payout Range |
---|---|
Critical | $2,500 to $7,500 |
High | $1,000 to $2,500 |
Medium | Up to $1,000 |
Low | Discretionary |
Note: Actual reward amounts are determined at LI.FI’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant LI.FI the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of LI.FI. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$1,000,000
Started on 20 Mar 2025
PancakeSwap / PancakeSwap Infinity
LivePancakeSwap is a leading multi-chain DEX with ~$2B in TVL. It offers several products such as farming, derivatives, etc. PancakeSwap Infinity is the newest version of the DEX, designed to make swapping & liquidity provisioning faster, cheaper, and more flexible. It uses a modular design that allows for more customization using hooks and supports different types of AMM pools.
Scope
In-Scope Targets:
Core Contracts:
Contract | Address |
---|---|
Vault | 0x238a358808379702088667322f80aC48bAd5e6c4 |
CLPoolManager | 0xa0FfB9c1CE1Fe56963B0321B32E7A0302114058b |
BinPoolManager | 0xC697d2898e0D09264376196696c51D7aBbbAA4a9 |
CLProtocolFeeController | 0x12F2a2965A665F8aBCf955C4dA26CC4Ec437b2c8 |
BinProtocolFeeController | 0xC7C41cc1F0f4BC4CA96ac860E5c724B9A265B9A8 |
CLPoolManagerOwner | 0x13f818BDC906C16764d8325809B4b67A9981f792 |
BinPoolManagerOwner | 0x10944942c7EC351A4Aa36D59A40Cb741cc5c37cB |
Contract | Address |
---|---|
CLPositionManager | 0x55f4c8abA71A1e923edC303eb4fEfF14608cC226 |
BinPositionManager | 0x3D311D6283Dd8aB90bb0031835C8e606349e2850 |
CLQuoter | 0xd0737C9762912dD34c3271197E362Aa736Df0926 |
BinQuoter | 0xC631f4B0Fc2Dd68AD45f74B2942628db117dD359 |
MixedQuoter | 0x2dCbF7B985c8C5C931818e4E107bAe8aaC8dAB7C |
TickLens | 0x8BcF30285413F25032fb983C2bF4deFe29a33f3a |
Contract | Address |
---|---|
UniversalRouter | 0xd9c500dff816a1da21a48a732d3498bf09dc9aeb |
CLDynamicFeeHook (baseLpFee: 0.3%) | 0x80DAf0057F5A454e70eAecD6e5F6769f563F7AC3 |
CLDynamicFeeHook (baseLpFee: 0.1%) | 0x7136a877Cf751ffc7e826F64B72b3ac41ccc15EC |
CLDynamicFeeHook (baseLpFee: 0.05%) | 0x32C59D556B16DB81DFc32525eFb3CB257f7e493d |
CLFeeHelper | 0x4e6825d29BbeA5F29Ee7AEfA40C3EAaBB27A9733 |
Distributor | 0xEA8620aAb2F07a0ae710442590D649ADE8440877 |
CampaignManagerV1 | 0x26Bde0AC5b77b65A402778448eCac2aCaa9c9115 |
HarvestReceiver | 0x328F54EF595876aEB3061046a9d119ac7bCe9d5f |
HarvestKeeper | 0x2e56D72BA76239C359062f5155cBF76cCa0Ea277 |
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Anything outside of the in scope contracts.
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by PancakeSwap, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
-
A clear description of the vulnerability and its impact.
-
Steps to reproduce the issue (proof of concept preferred).
-
Conditions under which the issue occurs.
-
Potential implications if exploited.
-
Reports should be made as soon as possible—ideally within 24 hours of discovery.
-
If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code
Risk Score | Payout Range |
---|---|
Critical | Up to $1,000,000 |
High | Up to $20,000 |
Medium | Up to $2,000 |
Low | - |
Note:
- Rewards will be further capped at 5% of direct funds at risk at the time of reporting the bug.
- Actual reward amounts are determined at PancakeSwap’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant PancakeSwap the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of PancakeSwap. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$1,000,000
Started on 29 Apr 2025
Story / story-protocol
LiveStory is a peer-to-peer intellectual property network that creates a programmable market for knowledge and creativity. Scientific and creative assets are registered on a universal ledger with customizable usage parameters. All assets are equipped with a composable interface that can be consumed by any software application or artificial intelligence model, allowing intellectual property to be used and monetized across the internet. A network-wide graph coordinates all intellectual property assets, with nodes representing atomic assets and edges representing the legal and economic commitments between them. The network evaluates the uniqueness of each asset via an asynchronous and decentralized validation service driven by cryptoeconomic incentives. Participation in the protocol contributes to the growth of the only open and permissionless repository of the world's knowledge and creativity.
In Scope:
The World's IP Blockchain has several layers: Layer 1 blockchain (Cosmos fork as CL, Geth fork with IPGraph precompile as EL), Proof of Creativity smart contract protocol and several apps to help users.
Blockchain Layer
Payout Matrix:
Payments will be in $IP tokens, denominated in USD at the time of submission.
Severity | Impact | Reward |
---|---|---|
Critical | Minting tokens violating protocol invariants (tokens per block, staked tokens). Takeover smart contract admin methods. Violating BFT assumptions, acquiring voting power vastly disproportionate (20x) to stake, or any other issue that can meaningfully compromise the integrity of the blockchain's proof of stake governance. User Fund Vulnerabilities: Exploits causing the permanent locking, loss, or theft of multiple user funds greater than $5M. Network not being able to confirm new transactions (total network shutdown ) requiring a hard fork or rollback to resolve | $30,000 - $600,000 |
High | Temporary total network shutdown or unintended chain split (duration greater than 1 hour). Non network critical loss of funds at protocol level | $10,000 - $30,000 |
Medium | Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network. Moderate impact on usability, monetary losses, or integrity | $2,000 - $10,000 |
Low | Small impact, minor exploit that does not affect security | $500 - $2,000 |
Informational | No direct security impact, but best practice improvements | $0 - $100 |
Repos
- https://github.com/piplabs/story
- https://github.com/piplabs/story/tree/main/contracts
- https://github.com/piplabs/story-geth (Only the vulnerabilities related to our modifications to the Geth codebase)
- Story's modifications to Cosmos
Smart Contract Layer: Proof of Creativity Smart Contract Protocol and Periphery
Payout Matrix:
Payments will be in $IP tokens, denominated in USD at the time of submission.
Severity | Impact | Reward |
---|---|---|
Critical | Protocol critical loss of funds and/or IPAsset property. Total denial of service caused by errors in the protocol smart contracts. Governance takeovers for protocol critical roles | $50,000 - $150,000 |
High | Non protocol-critical loss of funds and/or IPAsset property. Partial denial of service caused by errors in the protocol smart contracts | $10,000 - $50,000 |
Medium | Moderate impact on usability, monetary losses, or integrity | $2,000 - $10,000 |
Low | Small impact, minor exploit that does not affect security | $500 - $2,000 |
Informational | No direct security impact, but best practice improvements | $0 - $100 |
Repos
- https://github.com/storyprotocol/protocol-periphery-v1
- https://github.com/storyprotocol/protocol-core-v1
App Layer: Website, Apps and APIs:
- .storyprotocol.xyz
- .storyrpc.io
- .storyprotocol.net
- .story.foundation
- .storyapis.com
- .piplabs.xyz
Payout Matrix:
Payment will be in $IP tokens, denominated in USD at the time of submission.
Severity | Impact | Examples | Reward |
---|---|---|---|
Critical | Full compromise of wallets, infrastructure, or API security | Account takeover, Private key leakage, RCE on production systems, SSRF leading to internal network access, database dumps with sensitive data, critical auth bypass, takeover of Story Protocol's cloud environment (e.g., AWS, GCP, Azure) | $3000 - $30000 |
High | Major security impact but no full compromise | High-impact IDOR, significant authentication/authorization bypass, stored XSS affecting admin or privileged users, SSRF leading to internal metadata exposure, high-severity API leaks | $1500 - $3000 |
Medium | Moderate security impact with limited scope | Low-impact IDOR, reflected/stored XSS affecting standard users, moderate API misconfigurations, rate-limiting bypasses that allow mass account enumeration, sensitive information exposure in error messages | $500 - $1500 |
Low | Minor security misconfigurations with limited real-world impact | Self-XSS, missing security headers, lack of HTTP-only or secure flags on cookies, rate-limiting bypass on non-sensitive endpoints | $100 - $500 |
Informational | No immediate security impact, but good security hygiene | Minor misconfigurations, DNS record leaks, outdated libraries (with no PoC exploit), security best-practice suggestions | $0 |
Out of Scope:
The following vulnerabilities are excluded from the rewards for this bug bounty program:
- Entries generated with ChatGPT/LLM tools.
- Entries without any working POC.
- Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
- Previously known vulnerabilities in Tendermint, cosmos-sdk and or/any other fork of these.
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
- Impacts caused by attacks requiring access to leaked keys/credentials.
- Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
- Issues reported in the previous Cantina Competition. Report available soon.
- Issues from our previous security audits.
- Feature requests and best practice recommendations.
- Social engineering and phising.
Smart Contracts/Blockchain
- Incorrect data supplied by third party oracles.
- Impacts requiring basic economic and governance attacks (e.g. 51% attack).
- Lack of liquidity impacts.
- Impacts from Sybil attacks.
- Impacts involving centralization risks.
- 3rd party asset drainers that use phishing and ERC20/ERC721
approve()
or other standard methods.
Website and Apps
- Theoretical impacts without any proof or demonstration.
- Impacts involving attacks requiring physical access to the victim device.
- Impacts involving attacks requiring access to the local network of the victim.
- Reflected plain text injection (e.g. url parameters, path, etc.).
- This does not exclude reflected HTML injection with or without JavaScript.
- Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
- Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
- Stack traces & error messages (unless they leak sensitive information).
- Captcha bypass using OCR without impact demonstration.
- Impacts causing only the enumeration or confirmation of the existence of users or tenants.
- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
- Lack of SSL/TLS best practices.
- Impacts that only require DDoS.
- UX and UI impacts that do not materially disrupt use of the platform.
- Impacts primarily caused by browser/plugin defects.
- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
- Publicly accessible
.git
directories (if no sensitive files are exposed). - SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
- Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
- Clickjacking on non-sensitive pages (e.g., informational pages).
- Self-XSS (XSS that only affects the person reporting it).
- CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
- CORS misconfigurations that do not allow credential theft or sensitive data exposure.
- Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
- Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
- Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
- Session fixation (not relevant if the system uses stateless authentication like JWTs).
Program Rules
- Theoretical entries, entries without any working POC and ones generated with ChatGPT/LLM tools will be discarded. Any medium or higher severity vulnerabilities should come with a working POC that can be demonstrated on a local test environment that can be reproduced with the instructions in the appendix.
- You must send a clear and concise textual description of vulnerability, along with steps to reproduce the issue and/or a Proof of Concept, include attachments such as screenshots or proof of concept code as necessary.
- Avoid using web application scanners for automatic vulnerability searching which generates massive traffic.
- Make every effort not to damage or restrict the availability of products, services, or infrastructure.
- Avoid compromising any personal data, interruption, or degradation of any service.
- Don't access or modify other user data, localize all tests to your accounts.
- Perform testing only within the scope.
- Don't exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
- Don't spam forms or account creation flows using automated scanners.
- Don't break any law and stay in the defined scope.
- Any details of found vulnerabilities must not be communicated to anyone who is not Cantina Team or an authorized employee of Piplabs or Story Foundation without appropriate permission.
- In case that your findings is valid you will be asked for KYC verification to proceed with payments.
Eligibility
We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:
- Current employees ,vendors (auditors), partners and contractors of Story Protocol and Story Foundation are not eligible to participate in the bug bounty program.
- Former employees and contractors of Piplabs and Story Foundation, who ceased working with the aforementioned entities must wait 6 months before they are eligible to participate in the bug bounty program.
- Sanctioned individuals and/or organizations are not eligible to participate in the bug bounty program. These restrictions are put in place to ensure the objectivity of the bug bounty program and to prevent any potential conflicts of interest.
- You must be the first reporter of a vulnerability.
- The vulnerability must be a qualifying vulnerability
- Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through Cantina.
Disclosure Guidelines
- Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
- No vulnerability disclosure, including partial is allowed for the moment. The team will disclose the vulnerability publicly when safe, thanking the researcher if they choose to.
Response Times
- Critical: Response within 24 hours.
- High:- Response within 48 hours.
- Medium: and Low - Response within 72 hours.
$600,000
Started on 11 Feb 2025
Kiln / Kiln V2 Bounty
LiveKiln On-Chain (v2) enables non-custodial platforms to propose an ETH staking offer where users can stake any amount of ETH on operator pools while remaining the only one able to access their staked assets.
The goal of these Ethereum Smart Contracts is to enable:
- Operator to register its validation keys deposit data on their operator vFactory Smart Contract
- Operator to propose deposit services like pooling on top of their vFactory
- Integrators to propose white-labelled staking offers on top of operator pools with their Smart Contract
- Users to deposit any amount of ETH to be staked
- Enable Integrators, Operators to have a performance fee dispatched on-chain
This Bug Bounty is focused on Kiln On-Chain v2 Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope but can be submitted at [email protected].
For more information about Kiln On-Chain, please visit https://www.kiln.fi/kiln-on-chain
Smart Contracts in Scope
Documentation for the assets provided in the table can be found at
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | Medium |
Likelihood:medium | High | Medium | - |
Likelihood:low | Medium | - | - |
Critical: - Complete loss of funds or permanent freezing of funds
High: - Theft of unclaimed yield, commission/fees or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).
Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption
A PoC is required for the following severity levels:
- Smart Contract:
- Critical
- High
- Medium
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount |
---|---|
Critical | $500,000 |
High | $50,000 |
Medium | $20,000 |
Reward Levels
-
Critical: Upto 500,000, Minumum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided
-
High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.
-
The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.
Out of Scope
These impacts are out of scope for this bug bounty program. General:
- Consequences resulting from exploits the reporter has already carried out, which lead to damage.
- Issues caused by attacks that require access to leaked keys or credentials.
- Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
- Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
- References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.
Smart Contracts:
- Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
- Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
- Problems related to insufficient liquidity.
- Issues stemming from Sybil attacks.
- Concerns involving risks of centralization.
- Suggestions for best practices.
Roles:
- Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.
Known Issues
Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Disclosure
Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:
- Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
- Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
- During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
- After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
- The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
- If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.
Eligibility
Security researchers who fall under any of the following are ineligible for a reward
- Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.
KYC
The following information is required for payments:
- If the claim comes from an individual:
- The first names, surnames, date and place of birth of the person concerned
- A Valid ID
- If the claim comes from a business:
- Legal form, name, registration number and address of the registered office
- Valid certificate of incorporation
- List of shareholders/directors
- The first names, surnames, date and place of birth of the person concerned
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Any denial of service attacks that are executed against project assets
- Automated testing of services that results in a denial of service
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Attempting phishing or other social engineering attacks against our employees and/or customers
$500,000
Started on 9 Sep 2024
Kiln / Kiln Defi Bounty
LiveKiln DeFi enables non-custodial platforms to propose DeFi yield products (like lending supply or rwa distributor) where users can deposit any amount of ERC20 on a vault while remaining the only one able to access their staked assets.
The goal of these EVM Smart Contracts is to enable:
- Users to deposit to supported protocols with a common 4626 interface
- Enable Integrators, and any third parties enabled by the integrator to have a fee on the rewards generated or on the deposit, dispatched on-chain
This Bug Bounty is focused on Kiln DeFi Smart Contracts only, all items regarding dApps or indexing / reporting stacks are out of scope but can be submitted at [email protected].
For more information about Kiln DeFi, please visit https://www.kiln.fi/defi
Smart Contracts in Scope
Ethereum mainnet
Smart Contract | Link |
---|---|
Vault Implementation | 0x1d7f221965e68475d44d1a8357f3211799b55e24 |
VaultUpgradeableBeacon | 0x15f7f910e5a8c86e609fd11c58f7342d86d3a25c |
ConnectorRegistry | 0xEEEBc7537717a39b747015FEaE221C1F069daE0b |
VaultFactory | 0xA59a98872393BE8410C42f8EED13821fa85A32a1 |
AaveV3Connector | 0x0D97Fa6C8F668E98C1ED9f6bB9Ec6d245d11DF41 |
CompoundV3Connector | 0xF259CF58d4ddc9E3C8AbEA3EEBA5710db3F71045 |
CompoundV3MarketRegistry | 0x08f80358Ce68363Ec06304cE667F1727246C852D |
SDAIConnector | 0xb569824646a31fc950abe23B150d020c38B59D26 |
Proxy (Bitcoin.com Spark DAI vault) | 0xF4918Ef824a242602E0d3e5DB07fFd4DaC4ad3Ea |
BNB mainnet
Smart Contract | Link |
---|---|
Vault Implementation | 0x59d323355F4b257097e041C4776b7492Ed294Ea4 |
VaultUpgradeableBeacon | 0x50006F2C5C914cEF560ceeD7686f038480199202 |
ConnectorRegistry | 0xdaAd68A24d658F8e123b8620Fd8249C340749eCf |
VaultFactory | 0x004074879Bc69E9B95084580A6Cc132a19b7A3Ac |
AaveV3Connector | 0x124d426898eF174aa8D23f548fCfd13c34F91D2B |
Proxy (Cool Wallet AaveV3 USDT) | 0x4d1806C26A728f2e1b82b4549b9E074DBE5940B9 |
Arbitrum mainnet
Smart Contract | Link |
---|---|
Vault Implementation | 0x55Ee64c446c44e2bDcbD4242341D4a5A2DD61034 |
VaultUpgradeableBeacon | 0xB03DDF4375E879B8E3bc240527bc55988c975ac4 |
ConnectorRegistry | 0x75df468D9Aa3438cd12d98606Bb71B73145e9972 |
VaultFactory | 0xd717eDe67EE3c5cAf385E392f2176c320E06Dd9d |
AaveV3Connector | 0x431ED6d951C0d97D9B33Fb5e26Bc589D75C3D05d |
CompoundV3Connector | 0x0F3Fa73dcF101F328AbFdD9176Cd11a16BD7bc16 |
CompoundV3MarketRegistry | 0x9cb057f462BBd076E5dD30C5f5d5dfa97ab006D3 |
Proxy (Bitnovo Compound v3 USDC) | 0x19A0F016Ac3989e754ab8216810beD8503bDA37e |
Polygon mainnet
Smart Contract | Link |
---|---|
Vault Implementation | 0xD04a891b7d4c42f51FCF6e88e47800dAec5B0CbF |
VaultUpgradeableBeacon | 0x89312A13D978820F15bC9414ef6ec9cC004C5D1f |
ConnectorRegistry | 0xB55BCCcc4837FD5E960944cf2828e202deBF0891 |
VaultFactory | 0x8cC927d0CFb6F9ddC4E6d20f5e5d23E8162eA602 |
AaveV3Connector | 0xa85aa46892D9a0087B59883F417bF23C3Ab4c920 |
Proxy (Cool Wallet AaveV3 USDT) | 0x03441c89e7b751bb570f9dc8c92702b127c52c51 |
Optimism mainnet
Smart Contract | Link |
---|---|
Vault Implementation | 0x4094fc930CcFe3fc3A9369BE7335467dac8b20fa |
VaultUpgradeableBeacon | 0xE1CacE168150265E1b1bC6E9c1636B747928a1D8 |
ConnectorRegistry | 0x30cD15434d0d979b75ACe5116199d26623F6A804 |
VaultFactory | 0xC65f4f4E6eFaeB68F900B90AfB00bF9D5A71D102 |
AaveV3Connector | 0x35a60d4bDeedb3d6103ae1521cd985C649D81297 |
Proxy (Dakota AAVE v3 USDC) | 0xb9ebff375d5eade50ed561f611754902f70e34cf |
Documentation for the assets provided in the table can be found at https://docs.kiln.fi/v1/kiln-products/defi.
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | Medium |
Likelihood:medium | High | Medium | - |
Likelihood:low | Medium | - | - |
Critical: - Complete loss of funds or permanent freezing of funds
High: - Theft of unclaimed yield, or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).
Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption - Theft of any commission/fees
A PoC is required for the following severity levels:
- Smart Contract:
- Critical
- High
- Medium
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount |
---|---|
Critical | $500,000 |
High | $50,000 |
Medium | $20,000 |
Reward Levels
-
Critical: Upto 500,000, Minimum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.
-
High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.
-
The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.
Out of Scope
These impacts are out of scope for this bug bounty program. General:
- Consequences resulting from exploits the reporter has already carried out, which lead to damage.
- Issues caused by attacks that require access to leaked keys or credentials.
- Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
- Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
- References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.
Smart Contracts:
- Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
- Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
- Problems related to insufficient liquidity.
- Issues stemming from Sybil attacks.
- Concerns involving risks of centralization.
- Suggestions for best practices.
Roles:
- Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.
Known Issues
Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Disclosure
Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:
- Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
- Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
- During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
- After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
- The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
- If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.
Eligibility
Security researchers who fall under any of the following are ineligible for a reward
- Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.
KYC
The following information is required for payments:
- If the claim comes from an individual:
- The first names, surnames, date and place of birth of the person concerned
- A Valid ID
- If the claim comes from a business:
- Legal form, name, registration number and address of the registered office
- Valid certificate of incorporation
- List of shareholders/directors
- The first names, surnames, date and place of birth of the person concerned
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Any denial of service attacks that are executed against project assets
- Automated testing of services that results in a denial of service
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Attempting phishing or other social engineering attacks against our employees and/or customers
$500,000
Started on 9 Sep 2024
Injective / Injective
LiveIntroduction
Injective is a lightning fast interoperable layer one optimized for building unmatched Web3 finance applications. Injective is incubated by Binance and is backed by prominent investors such as Jump Crypto, Pantera and Mark Cuban. The goal of this Bug Bounty Program is to encourage responsible security research by providing incentives for finding and reporting vulnerabilities in Injective’s codebase and related systems. By participating in this Program, you help us maintain a safe, secure, and reliable environment for our users.
Scope
In-Scope Targets
-
Core Contracts
-
Web Interface / Application:
If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
Vulnerabilities found in vendor systems such as Cosmos-SDK, IBC, CometBFT and CosmWasm fall outside this policy and should be reported to the respective vendor following their disclosure policy (if any).
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Optimism, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Reports must incude:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
- To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within scope.
- Provide sufficient information to reproduce and fix the issue.
- Not have exploited the vulnerability in a malicious manner.
- Not have disclosed the vulnerability to third parties prior to receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code:
Risk Score | Payout Range |
---|---|
Critical | Up to $500,000 |
High | Up to $100,000 |
Medium | Up to $25,000 |
Low | Discretionary |
- Web Interface / Frontend:
Risk Score | Payout Range |
---|---|
Critical | Up to $50,000 |
High | Up to $30,000 |
Medium | Up to $10,000 |
Low | Discretionary |
Note: Actual reward amounts are determined at Injective’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.
Other Terms
By submitting a report, you grant Injective the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Injective. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.
$500,000
Started on 4 Feb 2025
Chronicle Labs / Chronicle Labs Bounty
LiveChronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.
Scribe's technical documentation at docs/
provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.
Smart Contracts in Scope
Scribe
chronicleprotocol/scribe/tree/v2
In scope:
- everything in
src/
- special focus for us:
- Unauthorized auth access
- Unauthorized addition or removal of validator/feed
- Being able to report a malicious price update
- Constructing a non-challengeable, invalid opPoke
- No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments
Severity Definitions
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
**Likelihood:high** | Critical | High | Medium |
**Likelihood:medium** | High | Medium | - |
**Likelihood:low** | Medium | - | - |
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | $400,000.00 | $30,000.00 |
Likelihood:medium | $30,000.00 | $10,000.00 |
Out of Scope (all repositories)
Known Issues
Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.
- Find previous security reviews here
- Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.
$400,000
Started on 1 May 2024
Threshold / thUSD Bounty
LiveThreshold USD is a decentralized protocol that enables you to borrow thUSD, a stablecoin soft-pegged against USD and backed by ETH and tBTC as collaterals with a minimum collateral ratio of 110%. Originated as a modified fork of Liquity Protocol, Threshold USD was built to be self-sustained through a PCV ("Protocol Controlled Value"). There is no equivalent of LQTY token in Threshold USD. Instead all revenues accrue into the PCV. Since there is no token, Bootstrapping is completed through an Initial Protocol Loan. The result of the protocol owning its own liquidity ("PCV"), is a more predictable trajectory and a sustainable long-term product. The stability pool is funded by the PCV instead of user deposits, so no funds are wasted on rewards and those funds can instead be re-injected into the stability pool. As the protocol grows and accrues fees, the stability pool will be consistently topped up.
For more information about thUSD, please visit https://app.thresholdusd.org/
Visit the docs for a complete project overview.
Smart Contracts in Scope
- All code of thUSD can be found at https://github.com/Threshold-USD/dev/tree/thUSD.
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | Medium |
Likelihood:medium | High | Medium | Low |
Likelihood:low | Medium | Low | - |
-
Critical:
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol insolvency
-
High:
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for more than 1 week
-
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
-
Low:
- Contract functions affected but does not result in loss of fund or impact severely
Website and application severity levels
-
Critical:
- Gaining access to sensitive data or files from an active server, such as:
/etc/shadow
,- Passwords and private keys (excluding non-sensitive environment variables, open-source code, or usernames).
- Performing authenticated, state-modifying actions (with or without blockchain state interaction) on behalf of other users without their consent.
- Subdomain takeover that allows interactions with an already-connected wallet.
- Direct theft of user funds.
- Malicious activities involving an already-connected wallet, such as:
- Altering transaction arguments or parameters,
- Replacing contract addresses,
- Executing malicious transactions.
- Gaining access to sensitive data or files from an active server, such as:
-
High:
- Injecting or modifying static content on the target application without using JavaScript (Persistent), including:
- HTML injection without JavaScript,
- Replacing existing text with arbitrary content,
- Uploading arbitrary files, etc.
- Subdomain takeover without interactions involving an already-connected wallet.
- Causing the application or website to become unavailable or go offline.
- Injecting or modifying static content on the target application without using JavaScript (Persistent), including:
A PoC is required for the following severity levels:
- Smart Contract - All severities
- Web/App - Critical
- Web/App - High
- Web/App - Medium
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount | PoC Required |
---|---|---|
Critical | $250,000 | Yes |
High | $20,000 | Yes |
Medium | $2,000 | Yes |
Low | $1,000 | Yes |
Reward Levels
- Critical: Upto 7,500 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited
- High: Upto 5,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited.
Rewards for Website & Application
Severity | Reward Amount | PoC Required |
---|---|---|
Critical | $10,000 | Yes |
High | $5,000 | Yes |
Medium | $1000 | Yes |
Reward Levels
-
Critical: Upto 5,000 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited
-
High: Upto 1,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited
Out of Scope
These impacts are out of scope for this bug bounty program. General:
- Consequences resulting from exploits the reporter has already carried out, which lead to damage.
- Issues caused by attacks that require access to leaked keys or credentials.
- Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
- Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
- References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.
Smart Contracts:
- Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
- Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
- Problems related to insufficient liquidity.
- Issues stemming from Sybil attacks.
- Concerns involving risks of centralization.
- Suggestions for best practices.
Web/App:
- Theoretical issues that lack proof or demonstration.
- Attacks requiring physical access to the victim's device.
- Problems requiring access to the victim's local network.
- CSRF issues without any state-changing security impact (e.g., logout CSRF).
- Disclosure of non-confidential server-side information, such as IP addresses, server names, or stack traces.
- Issues that only confirm the existence of users or tenants.
- Problems that involve vulnerabilities requiring unsolicited user actions that are outside normal app workflows.
- Lack of SSL/TLS best practices.
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) issues.
- User experience (UX) or user interface (UI) issues that do not significantly disrupt platform usage.
- Issues primarily caused by browser or plugin defects.
- Leakage of non-sensitive API keys (e.g., Etherscan, Infura, Alchemy).
- Misconfigured SPF/DMARC records.
- Missing HTTP headers without a demonstrated impact.
- Automated scanner reports that do not demonstrate an impact.
Known Issues
thUSD has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.
Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.
-
Other known issues:
- Rounding errors in BAMM are considered economically unfeasible for exploitation and an intentional behavior
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Any denial of service attacks that are executed against project assets
- Automated testing of services that results in a denial of service
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
$250,000
Started on 28 Aug 2024
Panoptic / panoptic-core
LivePanoptic is a decentralized and permissionless options trading protocol built on Uniswap V3 and V4. We’ve taken a new and innovative approach that allows us to adapt a novel form of perpetual options into a DeFi protocol with oracle-free settlement. Instead of relying on thin and centralized order books, Panoptic takes the form of an advanced lending market for Uniswap positions.
Uniswap V3 and V4 LP positions have payoff curves that are strikingly similar to those of traditional sold (short) puts. Fees collected by positions are essentially a streaming options premium (which Panoptic calls streamia) that compensate Uniswap LPs for the risks their positions carry.
The Panoptic protocol leverages this unique property of Uniswap LP positions to offer a full spectrum of options exposure to every Uniswap V3 pool in existence and many Uniswap V4 pools. Because Uniswap LPs have payoffs similar to selling options, we can create a payoff similar to buying an option by enabling traders to borrow Uniswap V3/V4 positions from LPs and short them by removing that liquidity — compensating those LPs with the fees (streamia) that would have been collected.
Similarly, options sellers can create both calls and puts by borrowing one of the tokens in a Uniswap pool and swapping them into the constituent tokens of their position. These strategies are time-tested and have been employed by savvy retail and professional traders alike.
Panoptic takes these options strategies to the next level. We created integrated, undercollateralized, and capital-efficient lending infrastructure for both ordinary tokens and Uniswap V3/V4 LPs. This infrastructure supports the management of highly advanced multi-leg positions.
This enables several firsts in the DeFi space:
- Leveraged options selling and Uniswap liquidity provision
- Leveraged options buying
- A unique commission-based fee structure that options traders will find refreshingly familiar
Scope
Smart contracts
In-Scope Targets:
- Repository: https://github.com/panoptic-labs/panoptic-v1-core
- Commit: f81567ac9b6cf1faa3c93813d1eab75c7b611ab0
SemiFungiblePositionManager
,PanopticFactory
and any contracts deployed by PanopticFactory. (Contract addresses listed here)- The contracts are only on Ethereum Mainnet and Unichain
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope
Smart contract
-
Transfers of ERC1155 SFPM tokens are disabled.
-
Construction helper functions (prefixed with add) in the TokenId library and other types do not perform extensive input validation. Passing invalid or nonsensical inputs into these functions or attempting to overwrite already filled slots may yield unexpected or invalid results. This is by design, so it is expected that users of these functions will validate the inputs beforehand.
-
Tokens with a supply exceeding 2^127 - 1 are not supported.
-
If one token on a pool is broken/does not meet listed criteria/is malicious there are no guarantees as to the security of the other token in that pool, as long as other pools with two legitimate and compliant tokens are not affected.
-
Price/oracle manipulation that is not atomic or requires attackers to hold a price across more than one block (i.e., to manipulate a Uniswap observation, you need to set the manipulated price at the end of one block, and then keep it there until the next block) is not in scope
-
Attacks that stem from the TWAP being extremely stale compared to the market price within its period (currently 10 minutes)
-
As a general rule, only price manipulation issues that can be triggered by manipulating the price atomically from a normal pool/oracle state are valid
-
Given a small enough pool and low seller diversity, premium manipulation by swapping back and forth in Uniswap is a known risk. As long as it's not possible to do it between two of your own accounts profitably and doesn't cause protocol loss, that's acceptable
-
Front-running via insufficient slippage specification is not in scope
-
It's known that liquidators sometimes have a limited capacity to force liquidations to execute at a less favorable price and extract some additional profit from that. This is acceptable even if it causes some amount of unnecessary protocol loss.
-
It's possible to leverage the rounding direction to artificially inflate the total gross premium and significantly decrease the rate of premium option sellers earn/are able to withdraw (but not the premium buyers pay) in the future (only significant for very-low-decimal pools, since this must be done one token at a time).
-
It's also possible for options buyers to avoid paying premium by calling settleLongPremium if the amount of premium owed is sufficiently small.
-
Premium accumulation can become permanently capped if the accumulator exceeds the aimum value; this can happen if a low amount of liquidity earns a large amount of (token) fees
-
The liquidator may not be able to execute a liquidation if MAX_POSITIONS is too high for the deployed chain due to an insufficient gas limit. This parameter is not final and will be adjusted by deployed chain such that the most expensive liquidation is well within a safe margin of the gas limit.
-
It's expected that liquidators may have to sell options, perform force exercises, and deposit collateral to perform some liquidations. In some situations, the liquidation may not be profitable.
-
In some situations (stale TWAP tick), force exercised users will be worse off than if they had burnt their position.
-
For the purposes of this competition, assume the constructor arguments to the CollateralTracker are: 20, 2_000, 1_000, -128, 5_000, 9_000, 20, manager_address
-
Depending on the token, the amount of funds required for the initial factory deployment may be high or unrealistic
-
It is feasible for the share supply of the CollateralTracker to approach 2**256 - 1 (given the token supply constraints, this can happen through repeated protocol-loss-causing liquidations), which can cause various reverts and overflows. Generally, issues with an extremely high share supply as a precondition (delegation reverts due to user's balance being too high, other DoS caused by overflows in calculations with share supply or balances, etc.) are not valid unless that share supply can be created through means other than repeated liquidations/high protocol loss.
-
Only pools with hooks that have the permissions `before/afterInitialize`, `before/afterDonate`, and `before/afterSwap/returnDelta` are in scope. Hooks with additional permissions can only be considered to the extent of their effects on the operation of non-hook pools and pools with approved permissions.
-
Issues where losses (to a user undertaking a given action) can be avoided by setting the ITM swap flag to false (tickLimitLow < tickLimitHigh) are out of scope.
-
For any PanopticPool, it should be assumed that a Uniswap V3 pool with the same tokens is used as the external oracle contract. High and Medium submissions meeting the top-100 pool criteria should use the corresponding top 100 V3 pool as the oracle contract.
-
If an insolvent account wants to prevent themselves from being liquidated or prevent an account with long positions near MIN/MAX tick from being closed or prevent the full-range liquidity add during a factory deployment, they can sell tickSpacing-wide positions from another account, buy them from an insolvent account, then add more liquidity (outside the protocol) such that the maxLiquidityPerTick would be exceeded if the removed liquidity from the long positions was added back (the capital requirements for this are very low near MIN_TICK/MAX_TICK). See L-02 on Uniswap's Certora audit.
-
Pausing, Upgradabilty, or enabling of fees of any of the external integrations are out of scope.
-
Options sellers may be forced to forfeit premium they have earned if it is not settled by the users that purchase their options
-
Pools that do not meet the criteria set here: http://docs.panoptic.xyz/docs/developers/pool-criteria
-
Weird ERC20 Checklist
- Automated findings by Lightchaser
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Panoptic, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
You must report vulnerabilities directly on Cantina. Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: High | Impact: Medium |
---|---|---|
Likelihood: High | Critical | High |
Likelihood: Medium | High | - |
Critical:
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol insolvency
- Once TVL exceeds $1M, switch to 25-100% of total TVL directly at risk
High:
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for more than 1 week
- Once TVL exceeds $1M switch to 1-25% TVL directly at risk
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
Low:
- Contract functions affected but does not result in loss of fund or impact severely
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Rewards
Panoptic Smart contracts
Severity Level | Maximum Payout | Minimum Payout (In effect before TVL reaches $1M) |
---|---|---|
Critical | $250,000 | $50,000 |
High | $50,000 | $10,000 |
Other Terms
By submitting a report, you grant Panoptic the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Panoptic. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$250,000
Started on 14 Dec 2024
Royco / royco
LiveRoyco Protocol allows anyone to create a market to incentivize any onchain transaction or series of transactions. Using Royco:
- Incentive Providers may create offers to incentivize users to perform the transaction(s).
- Action Providers may create offers to complete the transaction(s) and/or negotiate for more incentives.
When these two satisfy each other, the onchain transaction(s) execute atomically alongside the distribution of incentives. Royco Protocol is entirely non-custodial, trustless, and permissionless. It is also capital-efficient, allowing Action Providers to create many offers with the same assets.
For more information about Royco, please visit https://www.royco.org/
Royco provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.
Scope
In-Scope Targets:
- Smart Contracts:
Royco’s codebase can be found at https://github.com/roycoprotocol.
Documentation and further resources can be found on https://docs.royco.org/.
- Web Interface / Application:
Royco’s front-end codebase can be found at royco-frontend-template. Documentation and further resources can be found on https://docs.royco.org/.
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
You must report vulnerabilities directly on Cantina. Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity Definitions
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | - |
Critical:
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of >2% funds
High:
- Theft of unclaimed yield
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
Low:
- Contract functions affected but does not result in loss of fund or impact severely
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Rewards
The maximum Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.
- Smart Contract Code
Severity | Maximum Payout |
---|---|
Critical | $250,000 |
High | $3,000 to $10,000 |
The maximum Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.
- Web App / Frontend
Risk Score | Payout Range |
---|---|
Critical | Up to $10,000 |
For critical web/apps bug reports will be rewarded only if the impact leads to:
- A loss of funds involving an attack that does not require any user action
- Private key or private key generation leakage leading to unauthorized access to user funds
Note: Actual reward amounts are determined at Royco’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Out of scope
Web3/Smart contract:
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
WebApp/Frontend:
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers.
- Theoretical impacts without any proof or demonstration
- Impacts involving attacks requiring physical access to the victim device
- Impacts involving attacks requiring access to the local network of the victim
- Reflected plain text injection (e.g. url parameters, path, etc.)
- This does not exclude reflected HTML injection with or without JavaScript
- This does not exclude persistent plain text injection
- Any impacts involving self-XSS
- Captcha bypass using OCR without impact demonstration
- CSRF with no state modifying security impact (e.g. logout CSRF)
- Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
- Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
- Impacts causing only the enumeration or confirmation of the existence of users or tenants
- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
- Lack of SSL/TLS best practices
- Impacts that only require DDoS
- UX and UI impacts that do not materially disrupt use of the platform
- Impacts primarily caused by browser/plugin defects
- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
- SPF/DMARC misconfigured records)
- Missing HTTP Headers without demonstrated impact
- Automated scanner reports without demonstrated impact
- UI/UX best practice recommendations
Other Terms
By submitting a report, you grant Royco the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Royco. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$250,000
Started on 10 Jan 2025
Level Money / level-bug-bounty
LiveLevel is a stablecoin protocol that issues lvlUSD, a stablecoin that is fully backed by USDC and USDT generating yield from blue-chip lending protocols like Aave and soon Morpho. Level has consistently provided higher yield than most major yield-bearing stablecoins while only generating yield from low risk lending protocols. Level also offers increased utility and capital efficiency by being deeply integrated into leading DeFi protocols like Morpho, Pendle and Spectra.
Scope
In-Scope Targets:
-
Core Contracts:
- Repository: https://github.com/Level-Money/contracts
- Hash: 0e86345fed4e84d3cb24ed73cca5d4d11b504430
- Files:
- src/v2/*
- script/v2/*
- src/v1/lens/*
- src/v1/lvlUSD.sol
- src/v1/StakedlvlUSD.sol
- src/v1/slvlUSDSilo.sol
-
Web Interface / Application:
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
-
Smart Contracts:
- Any v1 directories in https://github.com/Level-Money/contracts, unless they are dependencies of v2:
- src/v1
- Excluding:
- src/v1/lens/*
- src/v1/lvlUSD.sol
- src/v1/StakedlvlUSD.sol
- src/v1/slvlUSDSilo.sol
- Excluding:
- script/v1
- test/v1
- src/v1
- Any issues surfaced in prior audits, which can be found here: https://level-money.gitbook.io/docs/technical-documentation/audits
- Any unfixed vulnerabilities mentioned in these reports are not eligible for reward
- Any previously-discovered bugs, including known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.
- Every issue opened in the repo, closed PRs, previous audits or contests
- Specific issues:
- Informational findings, including typos, documentation discrepancies, msising events, missing zero-address checks, and non-critical missing input validation
- Design choices related to the protocol (ie using permissioned addresses to manage reserves)
- Issues that can be solved by the protocol updating its reserve management criteria (ex: issues caused by deploying into low-liquidity Morpho vaults, which the protocol can simply choose not to allowlist)
- Issues that ignore trust assumptions (ie data supplied by third party oracles)
- Issues caused by attacks requiring excessive social engineering to acquire special privileges, including leaked keys/credentials or RBAC roles, except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Issues caused by Sybil attacks
- Issues involving centralization risk
- Any secrets/access tokens/API keys/private keys that are not being used in production
- User errors that can be easily caught in the frontend
- Rounding errors
- Any errors that can be solved with a call to
BoringVault.manage()
by the admin timelock (ex: claiming rewards from Aave) - Relatively high gas consumption
- Vulnerability stemming from extreme market turmoil
- Dev branches
- Suggestions for best practices
- Known issues under remediation
- Feature requests
- Any v1 directories in https://github.com/Level-Money/contracts, unless they are dependencies of v2:
-
Website/App:
- Theoretical impacts without any proof or demonstration.
- Impacts involving attacks requiring physical access to the victim device.
- Impacts involving attacks requiring access to the local network of the victim.
- Reflected plain text injection (e.g. url parameters, path, etc.).
- This does not exclude reflected HTML injection with or without JavaScript.
- Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
- Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
- Stack traces & error messages (unless they leak sensitive information).
- Captcha bypass using OCR without impact demonstration.
- Impacts causing only the enumeration or confirmation of the existence of users or tenants.
- Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
- Lack of SSL/TLS best practices.
- Impacts that only require DDoS.
- UX and UI impacts that do not materially disrupt use of the platform.
- Impacts primarily caused by browser/plugin defects.
- Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
- Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
- Publicly accessible .git directories (if no sensitive files are exposed).
- SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
- Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
- Clickjacking on non-sensitive pages (e.g., informational pages).
- Self-XSS (XSS that only affects the person reporting it).
- CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
- CORS misconfigurations that do not allow credential theft or sensitive data exposure.
- Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
- Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
- Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
- Session fixation (not relevant if the system uses stateless authentication like JWTs).
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Level requires KYC information, including full name, date of birth, and a copy of your passport or other government-issued ID. In addition, you must not:
- Be an OFAC-sanctioned individual or be a part of an OFAC sanctioned entity
- Reside in a country under any trade or economic sanctions by OFAC, or where the laws of the United States or local law prohibits participation
- Have been an official contributor, contractor, or employee of Level
- Be employees or individuals closely associated with Level
- Be security auditors who have participated in the audit review
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code
Risk Score | Payout Range |
---|---|
Critical | Up to $200,000 |
High | Up to $50,000 |
Medium | Up to $10,000 |
Low | Discretionary |
- Web Interface / Frontend
Risk Score | Payout Range |
---|---|
Critical | Up to $25,000 |
High | Up to $10,000 |
Medium | Up to $2,500 |
Low | Discretionary |
Note: Actual reward amounts are determined at Level’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Level the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Level. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$200,000
Started on 29 Apr 2025
Delv / DELV Bounty
LiveThe bug bounty program is focused on DELV's Hyperdrive smart contracts and is mostly concerned with the loss of user funds and access to those funds without user permission.
To be eligible for a reward under the DELV Bug Bounty Program, you must:
- Discover a previously unreported and non-public vulnerability that would result in a loss of or a lock on any ERC-20 token in Hyperdrive. Each bug will only be considered for a reward once. This does not include third-party platforms interacting with the system.
- Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements and the section below.
- Provide sufficient information to enable our team to reproduce and fix the vulnerability. This includes providing a PoC.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than the reward subject under this Program).
- Submit only one vulnerability per submission, unless you need to bundle vulnerabilities together in order to provide an accurate assessment of impact regarding any of the vulnerabilities.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not be one of our current or former employees or contractors.
- Comply with all applicable laws.
- Not be listed on any sanctions list of the United States, the United Kingdom, the European Union, or the United Nation, or directly or indirectly owned by or associated with such sanctioned person, or operating from or ordinarily resident in any jurisdiction subject to such sanctions.
Smart Contracts in Scope
delvtech/hyperdrive
Disclosure and Reporting Guidelines
To be eligible for a bounty, we require that Bug bounty hunters, security engineers, and researchers must:
- Make it a priority to avoid privacy violations, degradation of user experience, and disruption to production systems during security testing.
- Report vulnerabilities as soon as they have been discovered and keep them confidential between yourself and the DELV team. You may not use (other than as necessary to participate in this bug bounty program) and may not disclose to a third party any DELV confidential information, including identified vulnerabilities.
- Only use the Cantina.xyz bug reporting interface to report vulnerability information to us.
- Provide the team with at least 5 working days to investigate the issue and get back to you before taking any further action.
- DELV reserves the right to verify that the bounty hunter/researcher/security engineer meets these requirements and is eligible for payment.
- By reporting a vulnerability, you assign to Cantina (who assigns it to DELV) any intellectual property developed from your participation in this bug bounty program.
Severity Definitions
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | $100,000.00 (Critical) | $20,000.00 (High) |
Likelihood:medium | $20,000.00 (High) | $5,000.00 (Medium) |
Critical
- Direct theft of any user funds,
High
- Any governance voting result manipulation
- Temporary freezing of funds
Medium
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
Low
- At the discretion of DELV
Not all bugs will be material or warrant a bounty.
Out of Scope (all repositories)
Known Issues
- all acknowledged issues in the delvtech/hyperdrive repo are considered out of scope
- all known issues in previous security reviews are considered out of scope
- (any attempted fixes, that do not remediate the issue, remain in scope if the vulnerability exists after the fix)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Sybil attack
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of bugs or unpatched vulnerabilities. See "Disclosure and Reporting Guidelines" above for additional protections of DELV's confidential information.
$100,000
Started on 10 Jul 2024
Alchemy / Modular Account V2
LiveModular Account V2 contains a suite of modular smart contract accounts and modules. Modular Account V2 is maximally secure, modular, and has the cheapest creation costs amongst ERC4337-compatible smart contract accounts.
The accounts are upgradeable, can create session keys with scoped permissions on the account, and can use gas sponsorship provided by the ERC-4337 protocol. It can be used for most smart account use cases due to high flexibility from its modular design.
Modular Account V2 contains 4 smart account implementations:
- ModularAccount (ERC4337 compatible)
- SemiModularAccountBytecode(ERC4337 compatible)
- SemiModularAccountStorageOnly (ERC4337 compatible)
- SemiModularAccount7702 (EIP-7702 + ERC4337 compatible)
The repository also contains 2 signature verification modules and 4 permissioning modules.
Scope
In-Scope Targets
Smart Contracts in Scope
Following are in-scope contracts from the github repo: https://github.com/alchemyplatform/modular-account/tree/v2.0.x
Name | Address |
---|---|
AccountFactory | 0x00000000000017c61b5bEe81050EC8eFc9c6fecd |
ModularAccount | 0x00000000000002377B26b1EdA7b0BC371C60DD4f |
SemiModularAccount7702 | 0x69007702764179f14F51cdce752f4f775d74E139 |
SemiModularAccountBytecode | 0x000000000000c5A9089039570Dd36455b5C07383 |
SemiModularAccountStorageOnly | 0x0000000000006E2f9d80CaEc0Da6500f005EB25A |
ExecutionInstallDelegate | 0x0000000000008e6a39E03C7156e46b238C9E2036 |
SingleSignerValidationModule | 0x00000000000099DE0BF6fA90dEB851E2A2df7d83 |
WebAuthnValidationModule | 0x0000000000001D9d34E07D9834274dF9ae575217 |
AllowlistModule | 0x0000000000002311EEE9A2B887af1F144dbb4F6e |
NativeTokenLimitModule | 0x00000000000001e541f0D090868FBe24b59Fbe06 |
PaymasterGuardModule | 0x0000000000001aA7A7F7E29abe0be06c72FD42A1 |
TimeRangeModule | 0x00000000000082B8e2012be914dFA4f62A0573eA |
Out-of-Scope
- Smart contracts not in the v2.0.x release branch are considered out of scope.
Known Issues
Known issues from previous security reviews are considered out of scope.
- Previous security reviews can be found at: https://github.com/alchemyplatform/modular-account/tree/v2.0.x/audits
Other known issues that are out of scope:
- SemiModularAccount7702: when upgrading to a SMA7702 account from an existing account, or upgrading from an SMA7702 account to a new 7702 account, if the signature format is the same in the new account, the bundler is able omit the upgrade from the auth tuple to keep the gas paid for updating the auth tuple. This can be mitigated by starting from or ending with an account with a different signature format. This would be addressed in a subsequent release.
- Deferred Actions: Bundlers or relayers can replace deferred actions with separate deferred actions. Deferred actions are meant to be used in a way such that removing it would cause a validation failure, e.g. approving ERC20 tokens to a ERC20 paymaster before the paymaster validation check, or installing a session key before validation of that session key, thus security impacts due to such usage are considered out of scope.
Specific Types of Issues
- User error: Examples include: transferring tokens or account ownership to
address(0)
, or financial losses due to granting permissions to a malicious entity, or using a non EIP-7702 account in the EIP-7702 context. Interactions with 3rd party malicious code. Examples include: installing a faulty or malicious module. - Bad behavior from owners. Examples include: an owner DoSing another owner of the same account.
- Security impacts to accounts due to issues in the ERC-4337 EntryPoint would not be eligible for a modular account bug bounty.
- Issues related to counterfactual addresses or cryptography attacks that are not economically viable. Examples include generating a hash collision to take over a user’s undeployed ERC-4337 account, or mining EOA addresses to collide with smart contract accounts.
- Design choices related to protocol. Examples include: two step ownership transfers.
- Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Social engineering (e.g. phishing, vishing, smishing) is prohibited.
- Live testing on public chains, including public mainnet deployments and public testnet deployments is prohibited.
- We recommend testing on local forks, for example using foundry.
- Privacy violations, destruction of data, and actions that cause interruption or degradation of our services are prohibited. Only interact with accounts you own or with explicit permission of the account holder.
- Public disclosure of bugs without the written consent of the Alchemy team is prohibited.
- No Conflicts of Interest. Any individual who is or has ever been employed by Alchemy (or their family), or who is or has ever been a contractor of Alchemy, may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question (or their family) may not participate in the Bug Bounty.
Eligibility
- You must discover a previously-unreported, non-public vulnerability that is not previously known by the Alchemy team and is within the scope of this bug bounty program (the “Program”).
- You must provide all KYC and other documents as requested.
- You must be the first to disclose the unique vulnerability, in compliance with the disclosure requirements. A vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program is not eligible for a reward.
- You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
- You cannot exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- You cannot publicize or exploit a vulnerability in any way, other than through private reporting to us.
- You must refrain from any privacy violations, destruction of data, interruption or degradation of any of the assets or systems in scope.
- You cannot engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- You must be at least 18 years old at the time of submission.
- You cannot reside in a country under (or otherwise be subject to) any trade or economic sanctions by the United States Treasury’s Office of Foreign Assets Control or other applicable sanctions laws, or where the laws of the United States or local law prohibits participation.
- You cannot be one of our current or former employees (or their family member), or a vendor or contractor who has been involved in the development of the code of the bug in question.
- You must comply with all the rules of the Program, including but not limited to, refraining from engaging in any Prohibited Actions.
Severity and Rewards
Risk Classification Matrix
- Smart Contracts
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Informational |
Likelihood: Low | Medium | Medium | Low | Informational |
Rewards given are determined by the security impact, as well as the likelihood of the security impact. All submissions need to contain a clear, reproducible and working proof-of-concept to be eligible for a reward. Any submissions that do not require a redeployment would be capped at a low or medium severity.
Impact Assessment
The impact levels provided below should only be considered guidelines as the impact of a report will be defined on a case-by-case basis solely determined by Alchemy.
Critical:
- Stealing funds or permanently freezing funds from accounts on a large scale (20+% TVL across all accounts, and/or stealing native tokens or common ERC20s)
- Loss of control or access to accounts
High:
- Stealing funds, or temporarily/permanently freezing funds from accounts at a medium scale (1-20% TVL across all accounts)
- Loss of access to important features on accounts
Medium:
- Stealing funds, or temporarily/permanently freezing funds from accounts at a smaller scale (such as gas related issues)
- Loss of access to other features on accounts
- Loss of funds, or temporarily/permanently freezing funds from the AccountFactory contract
- Loss of control or access to the AccountFactory contract
Low:
- The issue does not pose an immediate risk but is relevant to security best practices.
Likelihood Assessment
The likelihood levels provided below should only be considered guidelines as the impact of a report will be defined on a case-by-case basis solely determined by Alchemy.
-
High: Affects most accounts in production. Must affect accounts in the default configuration from the factory, or for very common use cases such as session keys, and/or requires little to no privileged access.
-
Medium: Affects a significant portion of accounts in production. It must also be likely under specific conditions or scenarios, or it being a reasonably common use case, or a likely configuration of the account, and/or requires little to no privileged access.
-
Low: Rare but conceivable. This may cover use cases that are not in production today, or attacks that require privileged access.
Reward Ranges
Severity Level | Maximum Payout | Minimum Payout |
---|---|---|
Critical | Up to $100,000 USD | $50,000 USD |
High | Up to $10,000 USD | $5,000 USD |
Medium | Up to $2,000 USD | $500 USD |
Low | Discretionary | Discretionary |
Note: Actual reward amounts are determined at Alchemy’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting your report, you grant Alchemy any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Alchemy’s sole discretion. The terms and conditions of this Program may be altered, and this Program may be wound down, at any time.
$100,000
Started on 5 Feb 2025
Cork / cork-protocol
LiveCork is the protocol for tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens. It introduces Depeg Swaps, permissionless tokens representing the risk position of a certain asset losing its correlated peg. A new type of risk marketplace, in Cork the price of depeg swaps are established by the market, allowing people to gauge the market’s sentiment of a pegged assets’ stability. Depeg swaps can be bought (to get protection against an depeg or bet that a peg will hold) or sold (to bet that a peg will be lost) and create a new financial primitive to price, hedge, and trade depeg risks.
For more information about Cork, please visit https://www.cork.tech/
Scope
Assets in Scope
-
Smart Contracts:
-
Web/app
Out-of-Scope Targets:
- Previous Audits
- Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
- Impacts relying on known vulnerabilities that were publicly acknowledged by Cork through Issues or Pull Requests in any of Cork’s Public Github repositories at:
- Impacts relying on maintenance windows that have been publicly disclosed on
- Impacts relying on vulnerabilities within our 3rd-party code dependencies that have already been publicly disclosed by any party, including the security researcher
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Cork Protocol, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
The report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
- Should not be on OFACs SDN list
- Should not be an official contributor, either in past or atpresent
- Should not be employees and/or individuals closely associated with the project
- Should not be security auditors that directly or indirectly participated in the audit review
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Smart Contract Code
Risk Score | Reward Amount |
---|---|
Critical | USD 30,000 - USD 100,000 |
High | USD 10,000 - USD 30,000 |
- Web Interface / Frontend
Severity | Reward Amount |
---|---|
Critical | TBD |
- For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 30,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.
Repeatable Attack Limitations
-
If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.
-
For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.
Reward Calculation for High Level Reports
-
High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10,000 to USD 30,000 depending on the funds at risk, capped at the maximum high reward.
-
In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.
For critical web/apps bug reports will be rewarded with USD TBD only if the impact leads to:
- A loss of funds involving an attack that does not require any user action
- Private key or private key generation leakage leading to unauthorized access to user funds
All other impacts that would be classified as Critical would be rewarded a flat amount of USD TBD. The rest of the severity levels are paid out according to the Impact in Scope table.
Note: Actual reward amounts are determined at Cork’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Cork the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Cork. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$100,000
Started on 5 Mar 2025
Sablier / sablier-contracts
LiveSablier is a powerful onchain token distribution protocol. Here are some key definitions:
The Sablier Protocol: A collection of persistent, non-upgradeable smart contracts to facilitate streaming of ERC-20 tokens on Ethereum and other EVM blockchains. The Sablier Protocol consists of Lockup, Merkle Airdrops, and Flow. The Sablier Interface: A web interface that allows for easy interaction with the Sablier Protocol. The interface is only one of many ways to interact with the Sablier Protocol. Sablier Labs: The company that develops the Sablier Protocol, the Sablier Interface, and the documentation website you are reading right now.
Scope
In-Scope Targets:
This bounty covers bugs of critical or high severity that could lead to the unauthorized transfer or loss of funds from the Sablier smart contracts.
Out-of-Scope Targets:
- Code outside the
src
directories. - External code in
node_modules
, except code explicitly used by a deployed contract fromsrc
. - Deployments on test networks.
- Bugs in third-party contracts or platforms interacting with the Sablier Protocol.
- Bugs that have already been reported in previous audits
Vulnerabilities contingent upon the occurrence of any of the following are also out-of-scope:
- Front-end bugs (e.g., clickjacking) and and related social engineering attacks.
- DNS configuration records.
- DDoS attacks, spamming, or phishing.
- Private key leaks.
- Automated tools (e.g., Github Actions).
- Compromise or misuse of third party systems or services.
Note: If a vulnerability is of exceptional severity, we may accept submissions involving code outside the defined scope. However, the threshold for such reports is significantly higher, and reward eligibility will be assessed on a case-by-case basis.
Protocol Assumptions
Every protocol is built with certain assumptions. You MUST adhere to them while reporting bugs. You can find protocol assumptions in the respective repositories:
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Sablier, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.
Reports should be made as soon as possible - ideally within 24 hours of discovery.
Anyone who reports a unique, previously unreported vulnerability that results in a change to the code or a configuration, and who keeps such vulnerability confidential until resolution, will be recognised publicly if they choose.
Eligibility
To qualify for a reward under this Program, you MUST:
- Identify a previously unreported, non-public vulnerability within the scope of this Program that could result in the loss or freeze of any ERC-20 token in any of the Sablier Protocols (excluding third-party platforms interacting with it).
- Ensure the vulnerability is distinct from issues covered in the previous Audits.
- Be the first to report the unique vulnerability in accordance with the disclosure requirements specified above. In cases of multiple similar reports within 24 hours, rewards will be split at the discretion of Sablier Labs.
- Provide sufficient information to allow our engineers to reproduce and remediate the vulnerability.
- Refrain from any unlawful conduct when disclosing the bug (e.g., threats or coercive tactics).
- Avoid exploiting the vulnerability or profiting from it beyond the offered reward.
- Make a genuine effort to prevent privacy violations, data destruction, or any interruption or degradation of Sablier Protocol.
- Submit only one vulnerability per submission, unless chaining vulnerabilities is necessary to demonstrate the impact of any of them.
- Not submit a vulnerability that stems from an underlying issue for which a reward has already been paid under this Program.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
- You must not be a current or former employee, vendor, or contractor of Sablier Labs, or an employee of any of its vendors or contractors.
- You must not be subject to UK sanctions or reside in a UK-embargoed country.
- Be at least 18 years old, or if underage, submit the vulnerability with the consent of a parent or guardian.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
Risk Score | Payout Range |
---|---|
Critical | Up to $100,000 |
Rewards will be allocated based on the severity and impact of the disclosed bug after a thorough assessment by the Sablier team. For critical bugs that lead to significant unauthorized fund transfers, rewards of up to $100,000 will be granted. Lower severity bugs may receive nominal rewards or none at all, as determined by the Sablier Labs team.
Note: Actual reward amounts are determined at Sablier Labs’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Sablier Labs the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Sablier Labs. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$100,000
Starts on 6 May 2025
Huma Finance / Huma Bounty
LiveOn-chain credit platform where high-performing receivables meet with global capital.
Visit the docs for a complete project overview.
Smart Contracts in Scope
huma-contracts-v2
Name (address link) | Repo |
---|---|
huma-contracts-v2 | https://github.com/00labs/huma-contracts-v2/tree/main |
Excluding mocks, tests, scripts, etc. Valid issues must satisfy one of the severity definitions below.
Deployed Contracts Celo
Name | Celo Address |
---|---|
Calendar | 0x129686C98916c7fFF9cf9110127402D070183610 |
HumaConfig | 0x9345cc5617F906C62bE1608680B9C0FC3e7707B0 |
HumaConfigTimelock | 0x14B067bac6039429A11baf564db90eDBcc4E27F3 |
PoolConfigImpl | 0x7b6b28434c74E6DB5ba5c9a71eA6ff7A6D5071A5 |
PoolFeeManagerImpl | 0x3D143343FC4bF823365A38Fb76A89754C5C22f77 |
PoolSafeImpl | 0xd2FFCC9f6797ce2D7B503DC3287c4cc4D7fde77F |
FirstLossCoverImpl | 0x0D9b3ecd2B890651EF7dF65650b419a202D38FF4 |
RiskAdjustedTranchesPolicyImpl | 0xe780653d7c03A5199B3c13b8c663fcE2CDd72562 |
FixedSeniorYieldTranchesPolicyImpl | 0x86c3a14EE6f0B9BFeE1439a9b6eA191B565a3A0F |
PoolImpl | 0xa6C59ce6c1E1A519EcE7ad0Eeead31D485C7C8A9 |
EpochManagerImpl | 0x5aF84f6c8c6738417e6081677f186839294b5eEc |
TrancheVaultImpl | 0xf26A071833032Ce57769fdf530E81A28f15671df |
CreditLineImpl | 0x73c16Db24951135BC8A628185BdbfA79115793E5 |
ReceivableBackedCreditLineImpl | 0xE265E07F9d18Df940A75CfFfEA51211F4f0C46cC |
ReceivableFactoringCreditImpl | 0x2DF0091067B29Cbac6bD8C2cE15334dEFEE9738C |
CreditDueManagerImpl | 0xe1Bd10Bba7DF72527dB2F6955d8A731844C8bf84 |
CreditLineManagerImpl | 0xC98dEAA52Ba4848079aA0A4e48BEA6f0AcdC542c |
ReceivableBackedCreditLineManagerImpl | 0xAD3FB6bB897f85125436a63a5b8c3Dfb5928Fa4e |
ReceivableFactoringCreditManagerImpl | 0x7EF17831D7153b085ccDEFc02373234Baec16243 |
ReceivableImpl | 0x8920C27a3D76daA004f373f78fa1Ed01B4940FbA |
LibTimelockController | 0x41B1Dd4c2bbcff308Ef95210532B97DF87D8c053 |
PoolFactoryImpl | 0x2DA34B43089F20c87770674fb7d8Fa5b5384534b |
PoolFactory | 0x85c8dC49B8DaA709e65dd2182e500E8AC3CaA6C7 |
Severity Definitions
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | $50,000.00 | $25,000.00 |
Likelihood:medium | $25,000.00 | $10,000.00 |
Issues in Scope
Critical
Complete, or near complete, loss of all funds in the protocol.
High
Meaningful, but limited, loss of funds. Examples include a single pool vulnerable to complete loss of funds, or partial loss of TVL across the protocol such as 15% loss, etc.
Medium
Privilege escalation and circumventing access controls not leading to loss of funds in a way that qualifies as a higher severity.
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope. (Spearbit-Security-Review)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors. (E.g. yield calculation precision not leading to meaningful loss of funds.)
- Relatively high gas consumption.
- Centralization or admin risks.
All other issues acknowledged in the audits in the Spearbit-Security-Review
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor who currently works, or previously worked, with Huma Finance cannot participate in the Bug Bounty without prior approval. Examples include Huma contributors, security researchers who worked on Huma Finance code reviews, etc.
$50,000
Started on 5 Jul 2024
Size Credit / size-solidity
LiveSize is a fixed-rate lending marketplace built on an order book where offers are expressed like yield curves, allowing efficient and continuous pricing across markets and maturities.
Scope
In-Scope Targets:
- Repository: https://github.com/SizeCredit/size-solidity
- Commit:
739250c26be314b0d74e670297a344b02be625d0
- Total LOC: 4301
- Files:: src/
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Known issues:
- Referenced on the project README and past audit reports
Documentation
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Likelihood: High | Likelihood: Medium | Likelihood: Low |
---|---|---|---|
Impact: High | Critical | High | Medium |
Impact: Medium | High | Medium | Low |
Impact: Low | Medium | Low | - |
Impact Definitions:
-
Critical:
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol insolvency
-
High:
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for more than 1 week
-
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
-
Low:
- Contract functions affected but does not result in loss of fund or impact severely
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
Risk Score | Maximum Payout | Minimum Payout (Optional) |
---|---|---|
Critical | $50,000 | $10,000 |
High | $5,000 | $1,000 |
Note: Actual reward amounts are determined at Size Credit’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Size Credit the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Size Credit. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$50,000
Started on 3 Apr 2025
Whetstone / doppler-contracts
LiveDoppler is a customizable liquidity-bootstrapping protocol designed for the Uniswap Ecosystem.
Scope
In-Scope Targets:
- Core Contracts:
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Contracts not deployed on a production (mainnet) network are out-of-scope
- Previously found issues are out-of-scope - https://cantina.xyz/portfolio/ba92f3ff-2d28-4d69-82e1-1e512a8a94c5
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Whetstone, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code
Risk Score | Payout Range |
---|---|
Critical | Up to $50,000 |
High | Up to $25,000 |
Medium | Up to $5,000 |
Low | Discretionary |
Note: Actual reward amounts are determined at Whetstone Research's sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Whetstone Research the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Whetstone Research. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$50,000
Started on 7 Apr 2025
Marginal / marginal-bounty
LiveMarginal is a permissionless spot and perpetual exchange that enables leverage on any asset with an Uniswap V3 Oracle.
One can think of the core mechanism of the protocol as analogous to overcollateralized short-selling with the interest payment dictated by a typical perpetual funding rate.
Visit the docs for a complete project overview.
Smart Contracts in Scope
Deployments: Sepolia
V1 Core:
Target URL | Type |
---|---|
MarginalV1Factory.sol | MarginalV1Factory |
MarginalV1Pool.sol | MarginalV1Pool |
V1 Periphery:
Target URL | Type |
---|---|
NonfungiblePositionManager.sol | NonfungiblePositionManager |
Router.sol | Router |
Quoter.sol | Quoter |
Oracle.sol | Oracle |
PoolInitializer.sol | PoolInitializer |
PairArbitrageur.sol | PairArbitrageur |
Severity Definitions
Smart Contracts
Severity level | Impact: High | Impact: Medium |
---|---|---|
Likelihood:high | Upto $25000 | - |
Likelihood:medium | - | - |
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Oracle manipulation attacks.
- Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
$25,000
Started on 8 Jul 2024
Spearbit / Spearbit Bounty
LiveSpearbit is a distributed network of industry-leading security researchers tackling the most complex and mission-critical protocols across web3.
Cantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.
Guidelines
-
Scope: Only vulnerabilities found on our websites
- https://spearbit.com and its subdomains are eligible for rewards.
-
Testing: Do not perform any testing that could disrupt our services or compromise user data.
-
Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.
-
Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here
Vulnerability Rewards
Here's a general overview:
Severity | Reward Range |
---|---|
Critical | $20,000 - $25,000 |
High | $10,000 - $20,000 |
Medium | $1,000 - $10,000 |
Low | Discretionary |
Severity Levels
-
Critical
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
-
High
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
-
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
-
Low
- Cross-Site Scripting (XSS) with limited impact
- Open redirects
- Clickjacking vulnerabilities
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Out of Scope
The following activities and vulnerability types are considered out of scope for this bug bounty program:
- Physical attacks against our employees, offices, or data centers
- Social engineering attacks against our employees or users
- Vulnerabilities in applications or systems not owned by us
- Vulnerabilities requiring physical access to a user's device
- Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
Testing Guidelines
To ensure safe and responsible testing:
- Use only your own accounts or test accounts for testing.
- Do not attempt to access, modify, or destroy data that does not belong to you.
- Be mindful of testing that might impact system availability or integrity.
- Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.
If you're unsure whether a specific test is allowed, please contact us before proceeding.
Thank you for helping us keep our platform secure!
$25,000
Started on 27 Jul 2024
Cantina / Cantina Bounty
LiveCantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.
Guidelines
-
Scope: Only vulnerabilities found on our websites
- https://cantina.xyz its subdomains are eligible for rewards.
-
Testing: Do not perform any testing that could disrupt our services or compromise user data.
-
Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.
-
Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here
Vulnerability Rewards
Here's a general overview:
Severity | Reward Range |
---|---|
Critical | $20,000 - $25,000 |
High | $10,000 - $20,000 |
Medium | $1,000 - $10,000 |
Low | Discretionary |
Severity Levels
-
Critical
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
-
High
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
-
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
-
Low
- Cross-Site Scripting (XSS) with limited impact
- Open redirects
- Clickjacking vulnerabilities
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Out of Scope
The following activities and vulnerability types are considered out of scope for this bug bounty program:
- Physical attacks against our employees, offices, or data centers
- Social engineering attacks against our employees or users
- Vulnerabilities in applications or systems not owned by us
- Vulnerabilities requiring physical access to a user's device
- Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
Testing Guidelines
To ensure safe and responsible testing:
- Use only your own accounts or test accounts for testing.
- Do not attempt to access, modify, or destroy data that does not belong to you.
- Be mindful of testing that might impact system availability or integrity.
- Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.
If you're unsure whether a specific test is allowed, please contact us before proceeding.
Thank you for helping us keep our platform secure!
$25,000
Started on 27 Jul 2024
Nodle / Nodle
LiveIntroduction
The Nodle Network is a decentralized wireless network, composed of Nodle Edge Nodes, powered by the Nodle Chain, and the NODL token. Nodle connects the physical world to Web3 by using smartphones as edge nodes. The edge nodes read devices and sensors in the physical world using Bluetooth Low Energy (BLE) and connect that information to the blockchain. Creating a geolocation-based layer one that can be used by many unique applications built for the hyper-connected, mobile-oriented world we live in. Nodle creates an economic model that is secure, private, and scalable.
Nodle also develops the Click Camera, a unique solution to authenticate pictures using C2PA, a standard from Adobe, and NFTs.
For more information about Nodle, please visit https://www.nodle.com/ For more information about Click, please visit https://clickapp.com/
Scope
In-Scope Targets:
Target | Type |
---|---|
https://github.com/nodlecode/chain | Blockchain/DLT - Nodle Chain Node |
https://github.com/NodleCode/rollup | Smart Contracts |
https://client.nodle.com | Web/App |
https://zkclient.nodle.com | Web/App |
Nodle App iOS | Web/App |
Nodle App Android | Web/App |
Click Camera iOS | Web/App |
Click Camera Android | Web/App |
Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bounty program unless explicitly mentioned as in-scope.
Out-of-Scope Targets:
- Previous audits and known issues are out of scope and can be found at:
Description of Known Issue | Related Impact-in-Scope |
---|---|
Upstream reports to Parity Technologies, for Polkadot or related projects. | Blockchain/DLT/Web/API |
Upstream reports made to OnFinality, concerning improper operation of the Nodle hosted Mainnet RPC endpoint. | Blockchain/DLT/Web/API |
Upstream reports made to Matter Labs or related entities, for ZKsync or zkEVM issues. | Blockchain/DLT |
Substrate Pallet Audit, Halborn, Feb. 2022 | Blockchain/DLT |
Secfault Security, Substrate Chain Audit, July 2020 | Blockchain/DLT |
Quantstamp Security Assessment Certificate, Sept. 2020 | Blockchain/DLT |
Resonance Security, Aug. 2024 | Blockchain/DLT |
Nethermind Bridge Audit, Sept. 2024 | Blockchain/DLT |
Matter Labs Solidity Audit, Sept. 2024 | Blockchain/DLT |
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Nodle Network, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Reports must incude:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
- To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within scope.
- Provide sufficient information to reproduce and fix the issue.
- Not have exploited the vulnerability in a malicious manner.
- Not have disclosed the vulnerability to third parties prior to receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Blockchain
Risk Score | Payout Range |
---|---|
Critical | $10,000 - $20,000 USD, $NODL |
High | $2,000 - $10,000 USD, $NODL |
Rewards for critical Blockchain vulnerabilities are further capped at 10% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of $10,000 for Critical Blockchain/DLT bug reports.
Rewards for high Blockchain vulnerabilities are further capped at 100% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of $2,000 for High Blockchain/DLT bug reports.
- Web Interface / Frontend
Risk Score | Payout Range |
---|---|
Critical | $4,000 - $10,000 USD, $NODL |
High | $1,000 - $4,000 USD, $NODL |
Rewards for critical web/app vulnerabilities will be further capped at 10% of direct funds at risk if the bug discovered is exploited. However, there is a minimum reward of $4,000.
High web/app vulnerabilities will be further capped at up to 100% of the funds affected. However, there is a minimum reward of $1,000.
Note: Actual reward amounts are determined at Nodle Network’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Out of Scope
Category | Specific Vulnerabilities and/or Attacks to be Excluded |
---|---|
Website & Application | Attacks with the potential to disrupt other customers of a shared web hosting environment, such as but not limited to Vercel. |
Website & Application | Attacks that purposefully access account-related data that belongs to another user, and was not created for explicit purposes of security investigation. |
Website & Application | Attacks relying on the user installing other applications on their smartphone. |
Website & Application | Attacks requiring rooted or jailbroken phone systems. |
Blockchain/DLT | Attacks with the potential to disrupt other customers of a shared hosting environment such as OnFinality, SubQuery, or Alchemy. |
Blockchain/DLT | Attacks that purposefully access account-related data that belongs to another user, and was not created for explicit purposes of security investigation. |
Blockchain/DLT | Vulnerabilities affecting third-party services used by Nodle such as OnFinality. |
Other Terms
By submitting a report, you grant Nodle Network the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Nodle Network. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$20,000
Started on 6 Feb 2025
Eco Foundation / eco
LiveEco provides secure and cheap stablecoin transfer pathways between connected chains (initially any L2 or L3 rollup settling on Ethereum), with a network of Solvers providing on-demand liquidity. The Eco Routes intent-based design ensures transfers are executed before settlement, eliminating capital loss risk for users.
Scope
In-Scope Targets:
- Core Contracts:
- Web Interface / Application:
- Other In-Scope Assets:
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Mailbox contract from Hyperlane
- Hyperlane
- Gas optimizations are out of scope
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Report must include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|---|
Likelihood: High | Critical | High | Medium | Low |
Likelihood: Medium | High | High | Medium | Low |
Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code
Risk Score | Payout Range |
---|---|
Critical | Up to $20,000 |
High | Up to $5,000 |
Medium | Up to $1,000 |
Low | Up to $500 |
- Web Interface / Frontend
Risk Score | Payout Range |
---|---|
Critical | Up to $5,000 |
High | Up to $2,500 |
Medium | Up to $1,000 |
Low | Up to $500 |
- Other Assets (Backend, Mobile, Extension)
Risk Score | Payout Range |
---|---|
Critical | Up to $5,000 |
High | Up to $2,500 |
Medium | Up to $1,000 |
Low | Up to $500 |
Note: Actual reward amounts are determined at Eco’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Eco Bug Bounty Program the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Eco. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.
$20,000
Started on 21 Mar 2025
Deri / deri-protocol
LiveThe Deri Protocol is the DeFi way to trade derivatives: to hedge, to speculate, to arbitrage, all on-chain. With Deri Protocol, trades are executed under the AMM paradigm, and positions are tokenized as NFTs, making them highly composable with other DeFi projects. By providing an on-chain mechanism to exchange risk exposures precisely and capital-efficiently, Deri Protocol has become a critical component of the DeFi infrastructure. For more information, visit Deri Protocol.
The goal of this Bug Bounty Program is to encourage responsible security research by providing incentives for finding and reporting vulnerabilities in the Deri Protocol codebase and related systems. By participating in this Program, you help us maintain a safe, secure, and reliable environment for our users.
Scope
In-Scope Targets:
- Core Contracts:
- Deri V4 Smart Contracts
- Only Exact Match Verified smart contracts are considered as in-scope of the bug bounty program.
- Deri V4 Supra Smart Contracts
- Deri V4 Smart Contracts
If an impact can be caused to any other asset managed by Deri Protocol that isn’t on this table but for which the impact is in the Impacts in Scope section, you are encouraged to submit it for the consideration of the project. This applies to only Critical impacts.
- Web Interface / Application:
If you discover a vulnerability in any component not explicitly listed but posing a critical risk to user funds, data, or the system's integrity, you may submit it for consideration. Such submissions will be reviewed on a case-by-case basis.
Out-of-Scope Targets:
- Contracts and code not listed in the in-scope table
- Third-party code and dependencies
- Development branches not yet deployed
- Known non-issues like rounding errors, gas optimizations, or best practices critiques
- Websites, APIs, or test environments not under Deri Protocol’s control
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments. Use local or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose vulnerability details before addressing the issue and receiving written consent. -
No Exploitation or Data Exfiltration:
Do not exploit vulnerabilities beyond the minimum necessary to demonstrate the issue. Avoid accessing private data, engaging in social engineering, or disrupting services. -
No Conflict of Interest:
Individuals currently or formerly employed by Deri Protocol or its affiliates, or contributors to affected code, are ineligible to participate.
Disclosure Requirements
Reports must be submitted to Cantina Bug Bounty Platform. Include:
- A clear description of the vulnerability and its impact
- Steps to reproduce, ideally with a proof of concept (PoC)
- Conditions under which the issue occurs
- Potential implications if exploited
Submissions should be made as soon as possible—preferably within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope
- Provide sufficient information to reproduce and fix the issue
- Not exploit the vulnerability maliciously
- Not disclose the vulnerability to third parties before receiving consent
- Comply with all Program rules and applicable laws
You must also be of legal age in your jurisdiction and not be a resident of a country under sanctions or restrictions.
Severity and Rewards
Severity Classification Matrix**
Severity Level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood: High | Critical | High | Medium |
Likelihood: Medium | High | Medium | - |
Likelihood: Low | Medium | - | - |
Severity Definitions
Smart Contracts
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Rewards
Severity | Payout Range |
---|---|
Critical | Up to $10,000 |
High | Up to $5,000 |
Medium | Up to $1,000 |
Websites and Applications
- Critical:
- Execution of unauthorized system commands
- Disruption or takedown of an application or website
- Circumvention of authentication mechanisms
- Unauthorized signing of transactions
- Redirection of user deposits or withdrawals
- Subdomain takeovers leading to financial losses
- Manipulation of wallet interactions resulting in financial loss
- Direct theft or misappropriation of user funds
Rewards
Severity | Payout Range |
---|---|
Critical | Up to $1,000 |
Out of Scope & Rules
- Stale price check and sequencer uptime checks are Known issues and considered out of scope
Excluded Vulnerabilities:
- Attacks already exploited
- Vulnerabilities requiring leaked keys/privileged access
- Third-party data issues (e.g., incorrect oracle data)
- Centralization risks
- Theoretical vulnerabilities without PoC
- Feature requests or best practices critiques
Prohibited Activities:
- Testing on mainnet/public testnet
- Testing third-party systems/applications
- Phishing or social engineering attacks
- Denial of service attacks
- Public disclosure of unpatched vulnerabilities
Other Terms
By submitting a report, you grant Deri Protocol the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions are at Deri Protocol’s sole discretion. Program terms and scope are subject to change. Participants are responsible for reviewing the latest version before submitting a report.
$10,000
Started on 19 Dec 2024