The Uniswap Protocol is a peer-to-peer system designed for the swapping of value. The Protocol is implemented as a set of persistent, non-upgradable smart contracts designed to function without the need for any intermediaries.

Scope

Contracts

The Program includes vulnerabilities and bugs in the latest deployed versions of the specified Uniswap contracts below, and commit b619b67 of the specified undeployed v4-core contracts. These files are found within the following GitHub repositories:

• V4 Core Contracts
• Universal Router Contract Code
• Permit2 Contract Code
• V3 Contract Code
• UniswapX Contract Code
• Uniswap Interface Code

However if you find a bug in a Uniswap smart contract outside of these repositories, where user funds are at risk, the team will consider the issue to be in-scope for our bounty as an Other Uniswap Contract Code (for purposes of payout eligibility). Additionally, we anticipate adding v4-periphery to the Program soon.

Websites

• app.uniswap.org

Other

• Public NPM packages in the @uniswap org
• The Uniswap Chrome Extension
• The Uniswap Mobile Application
  • iOS
  • Android

Out of Scope

• V4 Periphery Contracts
• v4 hooks that were not developed by Uniswap Labs.
• Clickjacking (we do allow 3rd parties to iframe us)
• DDOS
• Bugs in third party code
• Dev branches that are not deployed in public packages or contracts
• Third party contracts that are not under the direct control of Uniswap Labs
• Issues already listed in the audits for the contracts above
• Bugs in third party contracts or applications that use Uniswap contracts
• Brute force attacks
• Rounding errors
• Cache-control header settings
• Extreme market turmoil vulnerability
• Gas optimization recommendations
• Task Hijacking (Strandhogg)
• Any vulnerability that is previously known by the Uniswap Labs team

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.

  • We recommend testing on local forks, for example using foundry.

• Public disclosure of bugs without the written consent of the Uniswap Labs team.

• Conflict of Interest: any individual who is or has ever been employed by Uniswap Labs may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question may not participate in the Bug Bounty

Disclosure

The vulnerability must not be disclosed publicly or to any other person, entity or email address before Uniswap Labs has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.

A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:

• The conditions on which reproducing the bug is contingent.
• The steps needed to reproduce the bug or, preferably, a proof of concept.
• The potential implications of the vulnerability being abused.

Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.

Eligibility

To be eligible for a reward under this Program, you must:

• Discover a previously-unreported, non-public vulnerability that is not previously known by the Uniswap Labs team and is within the scope of this Program

• Provide all KYC and other documents as requested

• Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements.

• Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.

• Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).

• Not publicize or exploit a vulnerability in any way, other than through private reporting to us

• Refrain from any privacy violations, destruction of data, interruption or degradation of any of the assets in scope.

• Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.

• Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.

• Be at least the age of majority at the time of submission.

• Not reside in a country under any trade or economic sanctions by the United States Treasury’s Office of Foreign Assets Control, or where the laws of the United States or local law prohibits participation.

• Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.

• Comply with all the rules of the Program, including but not limited to, refraining from engaging in any Prohibited Actions.

Rewards

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

1. Impact Assessment

The Program includes the following 4 level Impact severity scale:

Critical Impact:

• For smart contract code: An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 20%-100% of the total TVL across all chains supported by Uniswap Labs’ Web Interface (at app.uniswap.org).
• Issues that could impact numerous users and have serious reputational, legal or financial implications

High Impact:

• For smart contract code: An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 0.5%-20% of the total TVL across all chains supported by Uniswap Labs’ Web Interface (at app.uniswap.org).
• Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.

Medium Impact:

• Smaller losses (by stealing, wasting or permanently freezing) - impacting only individual users, or specific tokens, or specific chains.

Low/Informational Impact:
The issue does not pose an immediate risk but is relevant to security best practices.

Rewards will be given based on the above impact scale, combined with the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Uniswap Labs.

2. Likelihood Assessment

• High: Very likely to occur, either due to ease of execution or strong incentives that make it highly probable.
• Medium: Likely under specific conditions or scenarios, where incentives and feasibility make it reasonably expected.
• Low: Rare but conceivable, potentially occurring under extreme yet realistic market situations.

Payout Calculations

Select the payout amounts by which part of our product the bug is in. The Risk Score is calculated by combining the bug’s Impact and Likelihood using the Risk Classification Matrix above, to find the overall Risk of the bug.

The aggregate, maximum amount of Payouts for Uniswap v4 Contract Code is $44,400,000. All Payout amounts will be calculated based on the order in which the submission was received. The Program will be updated as appropriate to provide updates on Payout eligibility and amounts.

Uniswap v4 Contract Code

Scope:

• All contracts inside src/ in the v4-core, except those inside src/test/

Risk Score	Payout
Critical	$15,500,000
High	$1,000,000
Medium	$100,000
Low	Discretionary

Other Uniswap Contract Code

Risk Score	Payout
Critical	$2,250,000
High	$500,000
Medium	$100,000
Low	Discretionary

Uniswap Web Interface

This is for only the Uniswap Labs web application (app.uniswap.org)

Risk Score	Payout
Critical	$250,000
High	$50,000
Medium	$10,000
Low	Discretionary

Uniswap Labs Other Websites

This is for websites that belong to Uniswap Labs, but do not involve potential wallet interactions.

Risk Score	Payout
Critical	$50,000
High	$10,000
Medium	$2,000
Low	Discretionary

Uniswap Labs Backend

Risk Score	Payout
Critical	$50,000
High	$10,000
Medium	$2,000
Low	Discretionary

Uniswap Mobile Wallet/Extension Wallet

Risk Score	Payout
Critical	$50,000
High	$10,000
Medium	$2,000
Low	Discretionary

Other Terms

By submitting your report, you grant Uniswap Labs any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Uniswap Labs’ sole discretion. The terms and conditions of this Program may be altered at any time.

Euler V2 is a modular lending platform with two main components at launch: 1) the Euler Vault Kit (EVK), which empowers builders to deploy and chain together their own customised lending vaults in a permissionless manner; and 2) the Ethereum Vault Connector (EVC), a powerful, immutable, primitive which give vaults superpowers by allowing their use as collateral for other vaults. Together, the EVK and EVC provide the flexibility to build or recreate any type of pre-existing or future-state lending product inside the Euler ecosystem.

Euler Vault Kit:

The Euler Vault Kit is a system for constructing credit vaults. Credit vaults are ERC-4626 vaults with added borrowing functionality. Unlike typical ERC-4626 vaults which earn yield by actively investing deposited funds, credit vaults are passive lending pools.

Ethereum Vault Connector

The Ethereum Vault Connector (EVC) is a foundational layer designed to facilitate the core functionality required for a lending market. It serves as a base building block for various protocols, providing a robust and flexible framework for developers to build upon. The EVC primarily mediates between vaults, contracts that implement the ERC-4626 interface and contain additional logic for interfacing with other vaults. The EVC not only provides a common base ecosystem but also reduces complexity in the core lending/borrowing contracts, allowing them to focus on their differentiating factors.

Euler Price Oracle:

Euler Price Oracle is a library of modular oracle adapters and components that implement IPriceOracle, an opinionated quote-based interface. It supports Chainlink, Chronicle, RedStone Core and Pyth through minimal, immutable adapter contracts. The EulerRouter component is a dispatcher contract that maintains a configuration of resolver oracles with an optional fallback. The router can price ERC4626 shares to assets through convertToAsset, making it a convenient entry point contract for EVK pricing.

Reward Streams:

Reward Streams is a powerful and flexible implementation of the billion-dollar algorithm, a popular method for proportional reward distribution in the Ethereum developer community. This project extends the algorithm's functionality to support both staking and staking-free (based on balance changes tracking) reward distribution, multiple reward tokens, and permissionless registration of reward distribution schemes (reward streams). This makes Reward Streams a versatile tool for incentivizing token staking and holding in a variety of use cases.

Fee Flow:

Fee Flow is an efficient, decentralized, and MEV-resistant mechanism designed to convert fee assets to a single token. It operates using a continuous auto-adjusting Dutch auction mechanism, providing a secure and optimized way to handle fee conversions in blockchain applications. This component helps streamline token economics by efficiently managing the flow of transaction fees across various assets.

Euler Earn:

Euler Earn is an open source protocol for permissionless risk curation on top of ERC4626 vaults (strategies). It functions as an ERC4626 vault itself, allowing risk curators to deploy vaults through its factory. Each vault supports one loan asset and can allocate deposits across multiple strategies. The protocol offers noncustodial, immutable instances that provide users with a streamlined way to supply liquidity and earn passive yield. While initially designed to integrate with the EVK vaults, Euler Earn can work with any ERC4626-compliant vault.

Eligibility

To qualify for a reward under this program, you must:

1. Identify a previously unknown, non-public vulnerability that hasn't been reported before and is within the program's scope.
2. Be the first to report the distinct vulnerability, adhering to the disclosure guidelines.
3. Provide detailed information that allows our engineers to replicate and resolve the vulnerability.
4. Avoid exploiting the vulnerability in any manner, including making it public or profiting from it (except for the program's reward).
5. Report the vulnerability privately to us without public disclosure.
6. Make every effort to prevent privacy breaches, data destruction, or interruption of the in-scope assets.
7. Ensure the vulnerability isn't caused by an underlying issue that has already received a reward under this program.
8. Refrain from any illegal activities when disclosing the bug, such as using threats or coercion.
9. Be at least 18 years old or, if under 18, submit your finding with parental or guardian consent.
10. Not be subject to OFAC sanctions or reside in a country under OFAC embargo.
11. Not be a current or former employee, or a vendor or contractor involved in the code's development of the reported bug.
12. Adhere to all the program's eligibility requirements.

Scope

This bug bounty focuses on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray() function of the following default perspectives:

• Escrowed Collateral Perspective
• Euler Ungoverned 0x Perspective
• Governed Perspective
• Euler Ungoverned nzx Perspective
• Euler Earn Governed Perspective

Network Addresses

For the most up-to-date deployment addresses across various networks, please refer to the Euler Docs Contract Addresses. This website serves as the central source of truth for all network-specific addresses.

Steps for Security Researchers

1. Access the Documentation: Visit the Euler Docs Contract Addresses to view all available network tabs.
2. Identify Relevant Networks: Explore the tabs to identify the addresses that fall within the scope of the bug bounty.
3. Stay Updated: Regularly check the website for new network additions, as they are automatically included in the bounty scope.

This approach allows us to ensure that security researchers have access to the most current network addresses that are in scope and can adapt to new deployments as they occur.

Example: Ethereum Mainnet

For Ethereum Mainnet, the addresses are detailed in the Ethereum Mainnet Tab Euler Docs Contract Addresses. Key addresses include:

• Escrowed Collateral Perspective: 0x4e58BBEa423c4B9A2Fc7b8E58F5499f9927fADdE
• Euler Ungoverned 0x Perspective: 0xb50a07C2B0F128Faa065bD18Ea2091F5da5e7FbF
• Euler Ungoverned nzx Perspective: 0x600bBe1D0759F380Fea72B2e9B2B6DCb4A21B507
• Governed Perspective: 0xC0121817FF224a018840e4D15a864747d36e6Eb2
• Euler Earn Governed Perspective: 0x747a726736DDBE6210B9d7187b3479DC5705165E
• Fee Flow: 0xFcd3Db06EA814eB21C84304fC7F90798C00D1e32
• Balance Tracker (Reward Streams): 0x0D52d06ceB8Dcdeeb40Cfd9f17489B350dD7F8a3

Repositories in Scope

Only the contracts in the master/main branch of the following repositories that the above DEPLOYED vaults directly rely on are in scope:

• Ethereum Vault Connector
• Euler Vault Kit
• Euler Price Oracle
• Reward Streams
• Fee Flow
• Euler Earn

Note: - For Ethereum Mainnet and Base please refer to this commit deployment Euler Vault Kit Mainnet/Base and for any other network Euler Vault Kit

Websites in Scope

• Only the following site is in scope https://app.euler.finance

Severity Definitions

Smart Contracts Severity Levels

Severity level	Impact: High	Impact: Medium	Impact: Low
Likelihood:high	High	High	Medium
Likelihood:medium	High	Medium	-
Likelihood:low	Medium	-	-

High: These can drastically affect many users and result in major reputational, legal, or financial damage. Examples include the ability to permanently lock contracts or withdraw funds from all users. These could also mean broken core functionality.

Medium: These may result in loss of funds for users but under certain conditions and are not easy to perform. Also the reward to cost ratio is not large enough but still need to be fixed. Breaking of functionality or resulting in a DOS of funds for users

Website Severity Levels

High

• Remote code execution
• Unauthorized access to sensitive user data
• Ability to perform actions as a privileged user
• SQL injection
• Cross-Site Scripting (XSS) with significant impact
• Authentication bypass

Medium

• Cross-Site Request Forgery (CSRF)
• Server-side request forgery
• Sensitive information disclosure

Rewards

Core Components Rewards

These rewards apply to vulnerabilities found in the core components of Euler V2 (EVC, EVK, EPO). The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray() function of the perspective contracts (Escrowed Collateral, Ungoverned 0x, Ungoverned nzx, and Governed).

Severity Level	Reward
High	$5,000,000.00
Medium	$200,000.00

Core Components Reward Levels

• High: Up to $5,000,000.00 USD, minimum payout $200,000.00 USD
  • First $2,500,000.00 paid in USDC
  • Next $2,500,000.00 paid in rEUL
• Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.
• rEUL token is valued using a retrospective 30-day volume-weighted average price (TWAP) of EUL on CoinMarketCap from the date of the disclosure.

Examples:

• A $1,250,000.00 reward would be paid entirely in USDC.
• A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL

Boosted Rewards for Usual Stability Loan Vaults

If a vulnerability qualifies for the Euler Core Components Rewards and also affects the Usual Stability Loan (USL) vaults, Usual have generously offered to increase the reward by an additional $2.5 million in USUAL tokens. This brings the total potential reward to $7.5 million.

Vaults included

The USL vaults on Ethereum Mainnet:

• USD0++: 0xF037eeEBA7729c39114B9711c75FbccCa4A343C8
• USD0: 0xd001f0a15D272542687b2677BA627f48A4333b5d

Severity Level	Reward
High	$7,500,000.00
Medium	$200,000.00

Core Components Reward Levels

• High: Up to $7,500,000.00 USD, minimum payout $200,000.00 USD
  • First $2,500,000.00 paid in USDC
  • Next $2,500,000.00 paid in rEUL
  • Next $2,500,000.00 paid in USUAL
• Medium: Up to $200,000.00 USD, minimum payout $50,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.
• Any rEUL or USUAL tokens will be priced using their respective retrospective 30-day volume-weighted TWAPs on CoinMarketCap from the date of the disclosure.

Examples:

• A $1,250,000.00 reward would be paid entirely in USDC.
• A $3,500,000.00 reward would be paid as $2,500,000.00 in USDC and $1,000,000.00 in rEUL
• A $5,500,000.00 reward would be paid as $2,500,000.00 in USDC and $2,500,000.00 in rEUL and $500,000.00 in USUAL

Supporting Components Rewards

These rewards apply to vulnerabilities found in Fee Flow and Reward Streams officially deployed by Euler.

Severity Level	Reward
High	$100,000.00
Medium	$25,000.00

Supporting Components Reward Levels

• High: Up to $100,000.00 USD, minimum payout $25,000.00 USD
• Medium: Up to $25,000.00 USD, minimum payout $5,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.

Euler Earn Rewards

These rewards apply specifically to vulnerabilities found in the Euler Earn protocol. The bug bounty focuses specifically on the vaults, and contracts they directly rely on, which are smart contract addresses returned by the verifiedArray() function of the Euler Earn Governed Perspective.

Severity Level	Reward
High	$500,000.00
Medium	$100,000.00

Euler Earn Reward Levels

• High: Up to $500,000.00 USD, minimum payout $100,000.00 USD
• Medium: Up to $100,000.00 USD, minimum payout $25,000.00 USD

Notes:

• Rewards are calculated as 10% of their economic impact.
• The team may adjust the program after a high-severity payout to ensure sustainability.

Rewards for Web Interface Bugs

Severity Level	Reward
Critical	$25,000.00
High	$5,000.00
Medium	$1,000.00

Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.

Out of Scope

Contracts

Any previous issue marked as acknowledged/will not fix is not in scope to be reported again. If there has been a fix implemented, the fixed code can be treated as in scope.

• Issues described in our documentation: in-code comments, in the README and in the whitepapers.
• Issues found in previous security reviews
• Issues found in development branches
• Issues related to deploy scripts or tests
• Third party integrations not functioning as advertised
• Issues related to potentially malicious actions taken by Euler DAO controlled entities are considered out of scope as they are assumed to be trusted
• Issues related to mistakes made by governors/deployers when configuring vaults or price oracles:
  • The issue will be considered out of scope if it involves a user or vault actively opting to use something created or controlled by the untrusted actor
• Issues related to chain re-orgs and network liveness
• Incompatibilities with ERC-4626 and ERC-20 unless they pose a direct security risk
• Issues related to non-standard tokens and their behaviors (i.e. weird-tokens)
• Incorrect hardcoded addresses would be considered low, unless there is a direct loss of funds on deployment from using them.

Euler Price Oracle-Specific

• We are aware that some Price Oracles are not compatible with all networks. For example, RedstoneCoreOracle and LidoOracle only work on Ethereum.
• Issues related to misconfiguration in the constructors, including but not limited to zero addresses, wrong base/quote tokens and invalid decimals.
• Issues related to a malicious/compromised governor in EulerRouter.
• Issues related to misconfiguration in EulerRouter, including but not limited to resolving ERC4626 vaults with insecure convertToAssets method.
• Issues related to overflows and other math errors must have a demonstrable impact with a concrete scenario.
• Issues related to censorship / frontrunning users that interact with Pyth and RedStone. We expect users to interact with the EVC or another multicall-like contract to update the price and retrieve it in a single call.
• Issues related to using non-crypto price feeds in oracle adapters, including but not limited to Stocks feeds, ETF feeds, Forex feeds and any other feeds that have working hours.
• Issues stemming from sequencer downtime on L2s, including but not limited to inexistent sequencer liveness checks.
• Issues stemming from liveness and catastrophic bugs or malicious behaviour in the integrated oracles, including but not limited to Chainlink upgrades, Chronicle caller whitelist, RedStone signers rotating, Pyth downtime due to Wormhole. By using an oracle users choose to accept those trust assumptions.
• Accurate and manipulation-resistant asset pricing is the responsibility of the vault governor. Such issues are not eligible for an Euler bug bounty unless they involve critical flaws in Euler-specific code. Therefore, issues related to pricing on a specific vault—such as exchange-rate manipulation through donation attacks or spot price manipulation—are considered out of scope.

Website-Specific

• Non-security-related bugs such as performance issues or UI glitches.
• Clickjacking on pages with no sensitive actions.
• CSRF vulnerabilities on forms with no sensitive actions.
• Reports from automated tools without a working proof of concept.
• Denial of Service (DoS) attacks.
• Content spoofing and text injection without an attack vector.
• Rate limiting or brute force attacks on non-sensitive endpoints.
• Vulnerabilities in third-party services or dependencies.
• Software version disclosure
• Flaws affecting out-of-date browsers and plugins
• Self XSS
• SSL/TLS issues, such as weak ciphers or BEAST attacks, without a demonstrable impact.
• Cloudflare resources such as /cdn-cgi/ are out of scope w/o demonstrable impact

The following activities and vulnerability types are considered out of scope for this bug bounty program and strictly forbidden:

Physical attacks against our employees, offices, or data centers Social engineering attacks against our employees or users Vulnerabilities in applications or systems not owned by us Vulnerabilities requiring physical access to a user's device Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

System Roles and Privileges

• Euler DAO: This entity manages the upgrade admin role in GenericFactory (if not revoked) and the admin role in ProtocolConfig.
• Euler Labs: This entity manages oracle adapter registry, the external vaults registry and the IRM registry and well as other day-to-day operations of the protocol.
• Vault creators/governors: Anyone can create a vault and optionally retain governance control over it. Governors are responsible for securely configuring their own vaults, and for selecting suitable vaults to use as collateral.
• EulerRouter governors: These users are responsible for maintaining the pricing sources used by the vaults.
• Synth owners/minters: These users should be considered trusted in the context of managing the synthetic asset and its distribution.
• Regular users: Any other user is considered untrusted.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor working with or who has ever worked with the Project Entity cannot participate in the Bug Bounty.
  • With the exception that former external contractors, specifically Security Auditors/Researchers, are eligible for findings on Core Components(EVK, EVC, and EPO). Current employees, former employees, and contractors with active engagements remain excluded. Euler reserves the right to determine if there is a conflict of interest on a case-by-case basis.

Testing Guidelines

To ensure safe and responsible testing:

1. Use only your own accounts or test accounts for testing.
2. Do not attempt to access, modify, or destroy data that does not belong to you.
3. Be mindful of testing that might impact system availability or integrity.
4. Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.

Morpho Blue is an immutable overcollateralized lending protocol with permissionless market creation. It implements independent lending markets, which are simple lending pools with only one collateral asset and one borrowable asset, priced through an oracle. The interest rate is given by an immutable interest rate model (IRM). Each pool is characterized by a predefined Liquidation Loan-to-Value (LLTV). Markets can be created by anyone with any ERC20 assets and oracles, with an LLTV and IRM chosen in a set predefined by governance.

MetaMorpho is a protocol for permissionless lending vaults built on top of the Morpho Blue protocol. Additionally, the Morpho Blue periphery contracts are smart contracts part of the Morpho Blue ecosystem such as MetaMorpho, a protocol for permissionless lending vaults on top of the Morpho Blue protocol.

Morpho Optimizer is a Peer-to-Peer layer on top of lending pools like Compound or Aave. Rates are seamlessly improved for both suppliers and borrowers whilst preserving the same liquidity and liquidation guarantees. In short, Compound Optimizer is an upgraded version of Compound, Aave Optmizers are upgraded version of Aave.

For more information about Morpho, please visit https://morpho.org/ Morpho provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Severity and Reward levels below.

Scope

WepApps in scope:

• https://app.morpho.org/
• https://aavev2.morpho.org/
• https://aavev3.morpho.org/
• https://compound.morpho.org/

Smart Contracts in Scope

Morpho Blue

Morpho Blue

Name (address link)	Repo
Morpho Blue	github.com/morpho-org/morpho-blue
Adaptive Curve Irm	github.com/morpho-org/morpho-blue-irm
Morpho Chainlink Oracle V2 Factory	github.com/morpho-org/morpho-blue-oracles
Pre-Liquidation	github.com/morpho-org/pre-liquidation/tree/main

MetaMorpho

Name (address link)	Repo
MetaMorpho Factory	github.com/morpho-org/metamorpho
Public Allocator	github.com/morpho-org/public-allocator
Metamorpho v1.1	github.com/morpho-org/metamorpho-v1.1

Rewards

Name (address link)	Repo
Market Rewards Program Registry	github.com/morpho-org/morpho-blue-rewards-emissions
Rewards Emission Data Provider	github.com/morpho-org/morpho-blue-rewards-emissions
Universal Rewards Distributor Factory	github.com/morpho-org/universal-rewards-distributor

Bundlers

Name (address link)	Repo
EthereumBundler	morpho-org/morpho-blue-bundlers
AaveV2MigrationBundler	morpho-org/morpho-blue-bundlers
AaveV3MigrationBundler	morpho-org/morpho-blue-bundlers
AaveV3OptimizerMigrationBundler	morpho-org/morpho-blue-bundlers
CompoundV2MigrationBundler	morpho-org/morpho-blue-bundlers
CompoundV3MigrationBundler	morpho-org/morpho-blue-bundlers

Bundler3

Name (address link)	Repo
Bundler3	morpho-org/bundler3
ParaswapAdapter	morpho-org/bundler3
AaveV3MigrationAdapter “Core”	morpho-org/bundler3
AaveV3MigrationAdapter “Prime”	morpho-org/bundler3
AaveV3MigrationAdapter “EtherFi”	morpho-org/bundler3
CompoundV3MigrationAdapter	morpho-org/bundler3
AaveV3OptimizerMigrationAdapter	morpho-org/bundler3
AaveV2MigrationAdapter	morpho-org/bundler3
CompoundV2MigrationAdapter	morpho-org/bundler3
EthereumGeneralAdapter1(specific to Ethereum)	morpho-org/bundler3
GeneralAdapter1(for all other networks)	morpho-org/bundler3
ERC20WrapperAdapter(on Base and Ethereum only for now))	morpho-org/bundler3

Morpho Optimizers

Name (address link)	Repo
Morpho Proxy (Compound)	github.com/morpho-org/morpho-v1-deprecated
Morpho (Compound)	github.com/morpho-org/morpho-v1-deprecated
PositionsManager (Compound)	github.com/morpho-org/morpho-v1-deprecated
InterestRatesManager (Compound)	github.com/morpho-org/morpho-v1-deprecated
RewardsManager Proxy (Compound)	github.com/morpho-org/morpho-v1-deprecated
Morpho Proxy (AaveV2)	github.com/morpho-org/morpho-v1-deprecated
RewardsManager (Compound)	github.com/morpho-org/morpho-v1-deprecated
Morpho (AaveV2)	github.com/morpho-org/morpho-v1-deprecated
EntryPositionsManager (AaveV2)	github.com/morpho-org/morpho-v1-deprecated
ExitPositionsManager (AaveV2)	github.com/morpho-org/morpho-v1-deprecated
InterestRatesManager (AaveV2)	github.com/morpho-org/morpho-v1-deprecated
Morpho Proxy (AaveV3 ETH eMode)	github.com/morpho-org/morpho-aavev3-optimizer
Morpho (AaveV3 ETH eMode)	github.com/morpho-org/morpho-aavev3-optimizer
PositionsManager (AaveV3 ETH eMode)	github.com/morpho-org/morpho-aavev3-optimizer
ma3WETH Vault Proxy	github.com/morpho-org/morpho-aavev3-optimizer
ma3WETH Vault	github.com/morpho-org/morpho-aavev3-optimizer
Morpho Admin (DAO)
Delay Modifier (DAO)
Role Modifier (DAO)
Morpho Token (DAO)
Operator (DAO)
Morpho-Token	github.com/morpho-org/morpho-token

All the above contracts and their versions on the following chains are also included in the scope:

• Ethereum Mainnet
• Base
• Arbitrum
• Fraxtal
• Ink
• OP Mainnet
• PolygonPOS
• Scroll
• WorldChain
• Unichain
• Sonic
• Hemi
• Mode
• Corn

Please find the relevant addresses listed here: https://docs.morpho.org/addresses/

Severity Definitions

Smart Contracts severity levels

Severity level	Impact: High	Impact: Medium	Impact: Low
Likelihood:high	Critical	High	-
Likelihood:medium	High	-	-
Likelihood:low	-	-	-

Rewards

Rewards for Smart Contract Bugs

Severity	Reward Amount
Critical	$2,500,000
High	$50,000

Reward Levels

• Critical:

  • Morpho Blue contracts:
    • Up to $2,500,000, minimum payout $250,000
    • Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
  • MetaMorpho and other Morpho Blue periphery contracts:
    • Up to $1,500,000, minimum payout $150,000
    • Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.
  • Morpho’s Optimizer contracts:
    • Upto $555,000, minimum payout $55,000
    • Rewards will be further capped at 10% of direct funds at risk at the time of reporting the bug.

• High:

  • Up to $50,000, minimum payout $10,000

  • In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.

Rewards for Website and Application Bugs

Severity	Reward Amount
Critical	$50,000
High	$5,000

• Critical:
  • Morpho Blue (app.morpho.org)
    • Up to $50,000, Minimum payout $10,000
      • Max payout of $50,000 applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds
      • All other impacts would be capped at $10,000 for critical severity
  • All other apps
    • Up to $10,000, Minimum payout $5,000
      • Max payout of $10,000 applies if the attack results in loss of funds without any user interaction or any other attack gaining unauthorizes access to funds
      • All other impacts would be capped at $5,000 for critical severity

Out of Scope (all repositories)

Known Issues

Bug reports covering previously-discovered bugs (listed below) are not eligible for a reward within this program. This includes known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk. Every issue opened in the repo, closed PRs, previous contests and audits are out of scope.

• https://github.com/morpho-org/morpho-blue
• https://github.com/morpho-org/morpho-blue-irm
• https://github.com/morpho-org/morpho-blue-oracles
• https://github.com/morpho-org/metamorpho
• https://github.com/morpho-org/universal-rewards-distributor
• https://github.com/morpho-org/public-allocator
• https://github.com/morpho-org/morpho-blue-bundlers
• https://github.com/morpho-org/bundler3
• https://github.com/morpho-org/metamorpho-v1.1
• https://github.com/morpho-org/pre-liquidation

Previous Audits:

Morpho’s completed audit reports can be found at:

• https://docs.morpho.org/security-reviews/. Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Specific Types of Issues

• Informational findings.
• Design choices related to protocol. For example, the ability to deploy permissionless pools.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
• Someone can repay on behalf of Morpho.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.
• Some contracts are not set yet (eg: IncentivesVault).
• Manipulation of the matching engine. Here are some examples:
  • Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
  • Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.

All other issues acknowledged in the audits in this repo:

• https://github.com/morpho-dao/morpho-v1/
• https://github.com/morpho-dao/morpho-aave-v3

Eligibility:

To participate in this program, security researchers must comply with the rules of engagement and must not:

• Be listed on OFAC's SDN list
• Have been an official contributor, either past or present
• Be employees or individuals closely associated with the project
• Be security auditors who directly or indirectly participated in the audit review

Morpho will require KYC information for processing payments on successful bug submissions. The following details must be provided:

• Full name
• Date of birth
• A copy of your passport or other government-issued ID

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.

Pendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.

Further resources regarding the Pendle can be found at pendle.finance

The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.

Contracts in Scope

Network: Mainnet Ethereum

Target URL	Type
Explorer Link	router
Explorer Link	ActionAddRemoveLiqV3
Explorer Link	ActionSwapPTV3
Explorer Link	ActionSwapYTV3
Explorer Link	ActionMiscV3
Explorer Link	ActionCallbackV3
Explorer Link	ActionStorageV4
Explorer Link	pendleSwap
Explorer Link	ptAndLpOracle
Explorer Link	yieldContractFactoryV3
Explorer Link	marketFactoryV3
Explorer Link	limitRouter
Explorer Link	vePendle
Explorer Link	senderEndpoint
Explorer Link	votingController
Explorer Link	gaugeController
Explorer Link	feeDistributorV2

Network: Arbitrum

Target URL	Type
Explorer Link	router
Explorer Link	ActionAddRemoveLiqV3
Explorer Link	ActionSwapPTV3
Explorer Link	ActionSwapYTV3
Explorer Link	ActionMiscV3
Explorer Link	ActionCallbackV3
Explorer Link	ActionStorageV4
Explorer Link	pendleSwap
Explorer Link	ptAndLpOracle
Explorer Link	yieldContractFactoryV3
Explorer Link	marketFactoryV3
Explorer Link	limitRouter
Explorer Link	receiverEndpoint
Explorer Link	vePendle
Explorer Link	gaugeController
Explorer Link	arbMerkleDistribution

Network: Optimism

Target URL	Type
Explorer Link	router
Explorer Link	ActionAddRemoveLiqV3
Explorer Link	ActionSwapPTV3
Explorer Link	ActionSwapYTV3
Explorer Link	ActionMiscV3
Explorer Link	ActionCallbackV3
Explorer Link	ActionStorageV4
Explorer Link	pendleSwap
Explorer Link	ptAndLpOracle
Explorer Link	yieldContractFactoryV3
Explorer Link	marketFactoryV3
Explorer Link	limitRouter
Explorer Link	receiverEndpoint
Explorer Link	vePendle
Explorer Link	gaugeController

Network: Binance Smart Chain

Target URL	Type
Explorer Link	router
Explorer Link	ActionAddRemoveLiqV3
Explorer Link	ActionSwapPTV3
Explorer Link	ActionSwapYTV3
Explorer Link	ActionMiscV3
Explorer Link	ActionCallbackV3
Explorer Link	ActionStorageV4
Explorer Link	pendleSwap
Explorer Link	ptAndLpOracle
Explorer Link	yieldContractFactoryV3
Explorer Link	marketFactoryV3
Explorer Link	limitRouter
Explorer Link	receiverEndpoint
Explorer Link	vePendle
Explorer Link	gaugeController

Network: Mantle

Target URL	Type
Explorer Link	router
Explorer Link	ActionAddRemoveLiqV3
Explorer Link	ActionSwapPTV3
Explorer Link	ActionSwapYTV3
Explorer Link	ActionMiscV3
Explorer Link	ActionCallbackV3
Explorer Link	ActionStorageV4
Explorer Link	pendleSwap
Explorer Link	ptAndLpOracle
Explorer Link	yieldContractFactoryV3
Explorer Link	marketFactoryV3
Explorer Link	limitRouter
Explorer Link	receiverEndpoint
Explorer Link	vePendle
Explorer Link	gaugeController

Additional scope:

All StandardizedYieldToken, PendlePrincipalToken, PendleYieldToken, PendleYieldTokenV2, and PendleMarket contracts of assets listed under the links below are in scope. Note that each asset will have a different SY but the same PT, YT, and Market.

• Ethereum Markets
• Binance Smart Chain Markets
• Arbitrum Markets
• Optimism Markets
• Mantle Markets

Award Levels

Rewards are capped at 10% of economic impact.

• Very Critical: Up to $2,000,000 USD, minimum payout $200,000 USD
• Critical: Up to $1,000,000 USD, minimum payout $100,000 USD
• High: Up to $100,000 USD, minimum payout $20,000 USD
• Medium: Up to $20,000 USD
• Below Medium: To be awarded at the discretion of Pendle Finance

Severity Definitions

For manipulation that can steal/freeze users' funds (excluding unclaimed yield)

Likelihood/Impact	>10% TVL	1-10% TVL	< 1% TVL
High	Very Critical	Critical	High or Critical
Medium	Critical	High or Critical	High
Low	High or Critical	High	Medium

For other manipulation

The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.

Likelihood/Impact	Significant	Moderate	Minimal
High	High or Critical	High	Medium
Medium	High	Medium	Below Medium
Low	Medium	Below Medium	Below Medium

Out of Scope (all repositories)

If an issue is discovered and is not from the files listed as In Scope above, security researchers are encouraged to report the finding. Awards for out of scope issues to be determined at the discretion of Pendle Finance.

The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.

Known Public Issues

Known issues from previous security reviews are considered out of scope.

• pendle-core-v2-public/audits are considered as out-of-scope.

Known but not Public Issues

Are considered out of scope.

Specific Types of Issues

• Informational findings.
• Design choices related to protocol
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.

Kiln On-Chain (v1) enables non-custodial platforms to propose an ETH staking offer where users can stake on dedicated validators while remaining the only one able to access their staked assets. The goal of these Ethereum Smart Contracts is to enable:

• Operator to register its validation keys deposit data on the Smart Contract
• Users to deposit on approved and available validation keys
• Manage the Execution and Consensus Layer rewards and exited ETH
• Perform the commission dispatching on these ETH when user performs a withdrawal action

This Bug Bounty is focused on the Staking Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope.

For more information about Kiln On-Chain, please visit https://www.kiln.fi/ Kiln provides rewards in USDC. For more details about the payment process, please view the Rewards & Severity Levels below

Smart Contracts in Scope

Smart Contract	Link
Consensus Layer Fee Dispatcher	0x462Dd07A79e5DDfBe0C171449C5c01788d5d03C3
Consensus Layer Fee Dispatcher (testnet)	0xD36B422a7EE65219732724d849B8b6BceD6155Fe
Consensus Layer Fee Dispatcher Proxy	0xE8EC6F702D68ded71112031D78bBFf959c7234C7
Consensus Layer Fee Dispatcher Proxy (testnet)	0x50Dba42662FD69f5Fd9236540aaD9f99f7F6b3b2
Execution Layer Fee Dispatcher	0xca4DD914fA713214844c84F153A5e1627536a7fC
Execution Layer Fee Dispatcher (testnet)	0xa69dDEBd0B6893A6F3d34A5df610d0E2ED433D18
Execution Layer Fee Dispatcher Proxy	0x72b4C52f18f52EbA3E4290a002dF7c387427b058
Execution Layer Fee Dispatcher Proxy (testnet)	0x639d818639B85a1892Bfbb40Bd724b4Ddea43C0C
Fee Recipient	0x933fBfeb4Ed1F111D12A39c2aB48657e6fc875C6
Fee Recipient (testnet)	0x1AcD717aDF8A3A1e4c23C6510cfbE76834E3f1bf
Staking Contract	0x0A7272e8573aea8359FEC143ac02AED90F822bD0
Staking Contract (testnet)	0xcd01846F1b37aCE16916969989C136e3c52ef7d2
Staking Contract Proxy	0x1e68238ce926dec62b3fbc99ab06eb1d85ce0270
Staking Contract Proxy (testnet)	0xe8Ff2a04837aac535199eEcB5ecE52b2735b3543

All code of Kiln can be found at

• https://github.com/kilnfi/staking-contracts

Documentation for the assets provided in the table can be found at

• https://docs.kiln.fi/kiln-on-chain-v1/6eQVsjjelOTzT9cvtG8s/.

Severity Definitions

Smart Contracts severity levels

Severity level	Impact: High	Impact: Medium	Impact: Low
Likelihood:high	Critical	High	Medium
Likelihood:medium	High	Medium	-
Likelihood:low	Medium	-	-

Critical: - Complete loss of funds or permanent freezing of funds

High: - Theft of unclaimed yield, commission/fees or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).

Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption

A PoC is required for the following severity levels:

• Smart Contract:
  • Critical
  • High
  • Medium

Rewards

Rewards for Smart Contract Bugs

Severity	Reward Amount
Critical	$1,000,000
High	$100,000
Medium	$20,000

Reward Levels

• Critical: Upto 1,000,000, Minumum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided

• High: Upto 100,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.

• Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.

• The bug bounty will have a hard cap of $1,500,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.

Out of Scope

These impacts are out of scope for this bug bounty program. General:

• Consequences resulting from exploits the reporter has already carried out, which lead to damage.
• Issues caused by attacks that require access to leaked keys or credentials.
• Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
• Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
• References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.

Smart Contracts:

• Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
• Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
• Problems related to insufficient liquidity.
• Issues stemming from Sybil attacks.
• Concerns involving risks of centralization.
• Suggestions for best practices.

Roles:

• Operator, Admin and Proxy Admin are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.

Known Issues

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

• https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Disclosure

Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:

• Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
• Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
• During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
• After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
• The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
• If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.

KYC

The following information is required for payments:

• If the claim comes from an individual:
  • The first names, surnames, date and place of birth of the person concerned
    • A Valid ID
  • If the claim comes from a business:
    • Legal form, name, registration number and address of the registered office
    • Valid certificate of incorporation
    • List of shareholders/directors

Eligibility

Security researchers who fall under any of the following are ineligible for a reward

• Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Any denial of service attacks that are executed against project assets
• Automated testing of services that results in a denial of service
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
• Attempting phishing or other social engineering attacks against our employees and/or customers

LI.FI is a cross-chain aggregation protocol that combines multiple bridges and DEXs to enable seamless asset transfers between different blockchains. The protocol uses a diamond pattern (eip-2535) smart contract architecture where a main contract delegates calls to specialized facet contracts that handle specific bridge and DEX integrations. It simplifies cross-chain transfers for both developers and users by providing a single unified solution instead of requiring individual bridge integrations.

Scope

In-Scope Targets:

• Smart Contracts:

  • Repository: https://github.com/lifinance/contracts
  • Commit: Latest commit
  • Files: src/*

• Website:

  • scan.li.fi
  • li.fi

• WebApp:

  • portal.li.fi
  • li.quest(api)

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Bridge-Specific Exclusions and DEX Aggregation Exclusions

  • Relayer Latency: Issues related to bridge transaction confirmation times without security impact

  • Bridge Fee Fluctuations: Economic concerns about variable bridge fees

  • Cross-Chain Reorg Scenarios: Theoretical concerns requiring deep blockchain reorganizations

  • Bridge Liquidity Limitations: Reports about insufficient liquidity on specific chains

  • Oracle Price Delays: Standard delays in price feeds without demonstration of exploitation

  • Slippage Within Tolerance: Expected price impacts within user-specified slippage limits

  • MEV and Front-Running: Standard front-running that's inherent to public blockchains

  • Route Optimization Suggestions: Reports suggesting better routing algorithms without security impact

  • Gas Optimizations: Suggestions for reducing gas costs without security implications

  • DEX Availability Issues: Temporary unavailability of specific integrated DEXes

• Smart Contract Technical Exclusions

  • Centralization By Design: Admin control features that are documented and intentional
  • Non-Exploitable Reentrancy: Reentrancy patterns with proper safeguards in place
  • Flash Loan Attacks: Without proof of impact under realistic market conditions
  • Upgradeability Concerns: Issues inherent to our documented upgradeability pattern
  • Governance Attacks: Requiring unrealistic token accumulation (>10% of total supply)
  • Known & Acknowledged Issues: Any issue previously reported in an audit and acknowledged by the LI.FI team (find previous audit reports here)
  • Self-Crafted Calldata Risks: Our contracts are designed to be used with calldata generated by our backend. Any issues resulting from manually crafted calldata are out of scope, as such calldata may bypass protocol-level safety checks intentionally excluded for gas optimization.
  • Idle Fund Access in LiFiDiamond: The LiFiDiamond contract is not meant to hold funds. Crafting calldata to move or steal residual funds or dust is expected behavior and not a protocol vulnerability.
  • Cross-EVM Address Mismatch: Certain EVMs (e.g., zkEVMs) may produce different contract addresses. If this leads to issues not affecting production contracts and not triggered by backend-generated calldata, they are out of scope.
  • Deprecated Contracts: Anything located in the /archive folder is considered deprecated and out of scope.
  • Automated Findings by Lightchaser: Findings from this list are excluded unless otherwise validated by the team.
  • Duplicate Vulnerability Reports: Any vulnerability previously known and acknowledged by the LI.FI team
  • Atomic Transaction Reverts: Failures of individual swap or bridge steps within multi-step transactions are expected and revert the full transaction by design — this is not a vulnerability.
  • Precision & Dust Reverts in Integrations: Minor dust-related issues or precision mismatches causing reverts (e.g., underflows, insufficient input amounts) due to external DEX behavior are considered known limitations and out of scope.

• Out of Scope / Invalid Reports

  • Third-Party Protocol Issues: Bugs in third party code are out of scope
  • Known Issues: Vulnerabilities listed in our documentation as "Known Issues"
  • Test Code Vulnerabilities: Issues in non-production test code
  • User Error Scenarios: Vulnerabilities requiring users to input obviously incorrect parameters
  • Theoretical Exploits: Attack scenarios without practical proof-of-concept
  • Known Issues Under Remediation: Vulnerabilities that have already been identified or are in the process of being fixed.

• WebApp & Website Exclusions The following vulnerability types are explicitly excluded from the bug bounty program:

  • Client-Side Static Injections: Vulnerabilities that require modifying client-side code via browser developer tools or similar methods are not considered valid submissions.

  • Self-XSS Requiring Browser Console: Attacks requiring the victim to paste malicious code into their browser console are excluded.

  • OR-Based Injection Techniques: SQL injections or similar attacks that rely solely on logical OR operators without demonstrating actual data extraction or manipulation.

  • Theoretical Vulnerabilities: Issues that cannot be demonstrated with a practical proof of concept.

  • Rate Limiting Bypass through Multiple IPs: Using multiple IP addresses to circumvent rate limiting is not considered a valid vulnerability.

  • Missing Security Headers: Reports solely about missing security headers without demonstrating an actual exploit will not be accepted.

  • Social Engineering Required: Vulnerabilities requiring substantial social engineering to exploit are excluded.

  • Unvalidated Reports from Automated Tools: Findings from automated scanning tools without manual verification and exploitation proof.

  • Attacks Requiring Physical Access: Any attack that requires physical access to a user's device.

  • Clickjacking Using Iframes: Vulnerabilities related to framing the application within iframes (clickjacking) are excluded as these are addressed by our security headers and Content Security Policy.

  • Zero-day issues are not valid for five days after the CVE is publicly disclosed.

• Documentation/Minor Issues

  • Documentation Discrepancies: Without security impact
  • Missing Events: Lack of event emissions that don't impact security
  • Missing Zero-Address Checks: Unless they lead to permanent fund loss
  • Missing Input Validation: For non-critical parameters

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

  • We can setup a test environment upon request.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by LI.FI, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

The report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must meet the following requirements:

• Vulnerability Requirements

  • Discover Original Vulnerabilities: Submit previously unreported, in-scope vulnerabilities that aren't publicly known.
  • First Reporter Advantage: Be the first to report a specific vulnerability through proper channels.
  • Provide Clear Reproduction Steps: Include detailed information allowing our team to verify and fix the issue.
  • Responsible Disclosure: Report privately without public disclosure or exploitation for personal gain.
  • Minimize Impact: Take reasonable precautions to avoid data loss, privacy violations, or service disruptions.

• Researcher Requirements

  • No Duplicate Rewards: The vulnerability must not stem from an issue that has already received a bounty.
  • Legal Compliance: Use only legal methods when identifying and reporting vulnerabilities. Threats or coercion will disqualify submissions.
  • Age Requirement: Be at least 18 years old, or have parental/guardian consent if younger.
  • Sanctions Compliance: Not be subject to OFAC sanctions or reside in countries under OFAC embargo.
  • No Conflicts of Interest: Not be a current/former employee, vendor, or contractor who worked on the vulnerable code.
  • Program Compliance: Follow all program rules and guidelines as detailed in our documentation.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions for Smart Contracts:

• Critical:
  • An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 50%-100% of the daily total user transfers across all EVM chains supported by LI.FI.
  • Governance
• High:
  • An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 20%-50% of the daily total user transfers across all EVM chains supported by LI.FI.
• Medium:
  • An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 0.5%-20% of the daily total user transfers across all EVM chains supported by LI.FI.
  • Issues that could impact numerous users and have serious reputational, legal or financial implications
• Low/Informational:
  • Minimal direct risk but may indicate areas for improvement.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires very specific conditions.

Impact Definitions for WebApp and Website:

Critical

• For Website
  • Remote code execution (RCE) on production servers
  • SQL injection leading to full database access
  • Authentication bypass allowing unrestricted access to admin functionality
  • Ability to access, modify, or delete other users' data without authorization
  • Stored cross-site scripting (XSS) in high-traffic areas affecting multiple users
  • Session fixation/hijacking allowing complete account takeover
  • CSRF vulnerabilities that can change critical account settings or perform privileged actions
  • Vulnerabilities exposing PII (personally identifiable information) of multiple users
  • Insecure direct object references (IDOR) affecting sensitive data
  • Upload functionality allowing execution of malicious files
• WebApp
  • Authentication bypass allowing unrestricted API access
  • Authorization flaws allowing access to other users' data or functionality
  • Injection vulnerabilities (SQL, NoSQL, etc.) with significant data exposure
  • Broken access controls leading to privilege escalation
  • API keys or secrets exposure in responses
  • Rate limiting bypass that could lead to service disruption
  • Business logic flaws allowing unlimited resource consumption
  • Insecure deserialization vulnerabilities
  • Server-side request forgery (SSRF) with access to internal systems
  • Side-channel attacks revealing encryption keys or sensitive data

High Impact

• Website

  • Stored XSS in less critical areas
  • Reflected XSS requiring minimal user interaction
  • CSRF vulnerabilities affecting important but non-critical functions
  • Open redirects with potential for sophisticated phishing
  • Username/email enumeration combined with weak rate limiting on login
  • Insecure password reset functionality
  • Web Cache poisoning leading to injection of malicious code
  • Clickjacking vulnerabilities on sensitive functions
  • Unvalidated redirects to malicious sites
  • Moderate information disclosure of system information

• WebApp

  • Improper input validation leading to unexpected behavior
  • Insecure implementation of API authentication
  • Missing function-level authorization checks
  • Excessive data exposure in API responses
  • Improper asset management (unpatched/outdated API endpoints)
  • Mass assignment vulnerabilities
  • Unprotected admin functionality
  • Web Cache poisoning leading to injection of malicious code
  • Sensitive operation without requiring re-authentication
  • Insecure default configurations

Medium Impact

• Website
  • DOM-based XSS requiring complex user interaction
  • Reflected XSS with limited impact
  • CSRF in non-sensitive functions
  • Clickjacking on non-sensitive pages
  • Missing security headers (CSP, X-Frame-Options, etc.)
  • Weak password policies
  • Username/email enumeration
  • Web Cache poisoning leading to significant user disruption
  • Overly verbose error messages revealing implementation details
  • Insecure cookie settings (missing Secure/HttpOnly flags)
  • Mixed content warnings
• WebApp
  • Lack of proper HTTPS implementation
  • Missing rate limiting on non-critical endpoints
  • Verbose error messages revealing implementation details
  • Inconsistent authorization checks
  • Web Cache poisoning leading to significant user disruption
  • API versioning issues causing backward compatibility problems
  • Response manipulation weaknesses
  • HTTP method overriding issues

Low Impact

• Website

  • Self-XSS (requiring significant user interaction)
  • Cross-site request forgery (CSRF) on non-sensitive actions
  • Minor client-side security issues with limited impact
  • Minor information disclosure (versions, technology stack)
  • Missing but non-critical security headers
  • Expired SSL/TLS certificates
  • Lack of DNSSEC
  • Lack of HTTP Strict Transport Security (HSTS)
  • Minor issues with content security policy

• WebApp

  • Lack of API documentation
  • Lack of security-related HTTP headers
  • Unnecessary HTTP methods enabled
  • Improper caching configurations
  • Verbose API error codes
  • Outdated API versions still accessible but not used
  • Disclosure of non-sensitive server information
  • Missing MIME type checking with limited security impact
  • Lack of HTTP security headers on API responses
  • Suboptimal implementation of rate limiting
  • Insufficient logging of security events

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires very specific conditions.

Payout Guidelines

• Core Smart Contract Code

Risk Score	Payout Range
Critical	$100,000 to $1,000,000
High	$10,000 to $100,000
Medium	$5,000 to $10,000
Low	Discretionary

Rewards are capped at 10% of the funds impacted

• WebApp:

Risk Score	Payout Range
Critical	$10,000 to $25,000
High	$1,000 to $10,000
Medium	$500 to $1,000
Low	Discretionary

• Website:

Risk Score	Payout Range
Critical	$2,500 to $7,500
High	$1,000 to $2,500
Medium	Up to $1,000
Low	Discretionary

Note: Actual reward amounts are determined at LI.FI’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant LI.FI the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of LI.FI. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

PancakeSwap is a leading multi-chain DEX with ~$2B in TVL. It offers several products such as farming, derivatives, etc. PancakeSwap Infinity is the newest version of the DEX, designed to make swapping & liquidity provisioning faster, cheaper, and more flexible. It uses a modular design that allows for more customization using hooks and supports different types of AMM pools.

Scope

In-Scope Targets:

Core Contracts:

• https://github.com/pancakeswap/infinity-core

Contract	Address
Vault	0x238a358808379702088667322f80aC48bAd5e6c4
CLPoolManager	0xa0FfB9c1CE1Fe56963B0321B32E7A0302114058b
BinPoolManager	0xC697d2898e0D09264376196696c51D7aBbbAA4a9
CLProtocolFeeController	0x12F2a2965A665F8aBCf955C4dA26CC4Ec437b2c8
BinProtocolFeeController	0xC7C41cc1F0f4BC4CA96ac860E5c724B9A265B9A8
CLPoolManagerOwner	0x13f818BDC906C16764d8325809B4b67A9981f792
BinPoolManagerOwner	0x10944942c7EC351A4Aa36D59A40Cb741cc5c37cB

• https://github.com/pancakeswap/infinity-periphery

Contract	Address
CLPositionManager	0x55f4c8abA71A1e923edC303eb4fEfF14608cC226
BinPositionManager	0x3D311D6283Dd8aB90bb0031835C8e606349e2850
CLQuoter	0xd0737C9762912dD34c3271197E362Aa736Df0926
BinQuoter	0xC631f4B0Fc2Dd68AD45f74B2942628db117dD359
MixedQuoter	0x2dCbF7B985c8C5C931818e4E107bAe8aaC8dAB7C
TickLens	0x8BcF30285413F25032fb983C2bF4deFe29a33f3a

• https://github.com/pancakeswap/infinity-universal-router

Contract	Address
UniversalRouter	0xd9c500dff816a1da21a48a732d3498bf09dc9aeb
CLDynamicFeeHook (baseLpFee: 0.3%)	0x80DAf0057F5A454e70eAecD6e5F6769f563F7AC3
CLDynamicFeeHook (baseLpFee: 0.1%)	0x7136a877Cf751ffc7e826F64B72b3ac41ccc15EC
CLDynamicFeeHook (baseLpFee: 0.05%)	0x32C59D556B16DB81DFc32525eFb3CB257f7e493d
CLFeeHelper	0x4e6825d29BbeA5F29Ee7AEfA40C3EAaBB27A9733
Distributor	0xEA8620aAb2F07a0ae710442590D649ADE8440877
CampaignManagerV1	0x26Bde0AC5b77b65A402778448eCac2aCaa9c9115
HarvestReceiver	0x328F54EF595876aEB3061046a9d119ac7bCe9d5f
HarvestKeeper	0x2e56D72BA76239C359062f5155cBF76cCa0Ea277

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Anything outside of the in scope contracts.

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by PancakeSwap, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

• A clear description of the vulnerability and its impact.

• Steps to reproduce the issue (proof of concept preferred).

• Conditions under which the issue occurs.

• Potential implications if exploited.

• Reports should be made as soon as possible—ideally within 24 hours of discovery.

• If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Core Smart Contract Code

Risk Score	Payout Range
Critical	Up to $1,000,000
High	Up to $20,000
Medium	Up to $2,000
Low	-

Note:

• Rewards will be further capped at 5% of direct funds at risk at the time of reporting the bug.
• Actual reward amounts are determined at PancakeSwap’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant PancakeSwap the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of PancakeSwap. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Story is a peer-to-peer intellectual property network that creates a programmable market for knowledge and creativity. Scientific and creative assets are registered on a universal ledger with customizable usage parameters. All assets are equipped with a composable interface that can be consumed by any software application or artificial intelligence model, allowing intellectual property to be used and monetized across the internet. A network-wide graph coordinates all intellectual property assets, with nodes representing atomic assets and edges representing the legal and economic commitments between them. The network evaluates the uniqueness of each asset via an asynchronous and decentralized validation service driven by cryptoeconomic incentives. Participation in the protocol contributes to the growth of the only open and permissionless repository of the world's knowledge and creativity.

In Scope:

The World's IP Blockchain has several layers: Layer 1 blockchain (Cosmos fork as CL, Geth fork with IPGraph precompile as EL), Proof of Creativity smart contract protocol and several apps to help users.

Blockchain Layer

Payout Matrix:

Payments will be in $IP tokens, denominated in USD at the time of submission.

Severity	Impact	Reward
Critical	Minting tokens violating protocol invariants (tokens per block, staked tokens). Takeover smart contract admin methods. Violating BFT assumptions, acquiring voting power vastly disproportionate (20x) to stake, or any other issue that can meaningfully compromise the integrity of the blockchain's proof of stake governance. User Fund Vulnerabilities: Exploits causing the permanent locking, loss, or theft of multiple user funds greater than $5M. Network not being able to confirm new transactions (total network shutdown ) requiring a hard fork or rollback to resolve	$30,000 - $600,000
High	Temporary total network shutdown or unintended chain split (duration greater than 1 hour). Non network critical loss of funds at protocol level	$10,000 - $30,000
Medium	Shutdown of greater than or equal to 30% of network processing nodes without brute force actions, but does not shut down the network. Moderate impact on usability, monetary losses, or integrity	$2,000 - $10,000
Low	Small impact, minor exploit that does not affect security	$500 - $2,000
Informational	No direct security impact, but best practice improvements	$0 - $100

Repos

• https://github.com/piplabs/story
• https://github.com/piplabs/story/tree/main/contracts
• https://github.com/piplabs/story-geth (Only the vulnerabilities related to our modifications to the Geth codebase)
• Story's modifications to Cosmos
  • https://github.com/piplabs/cosmos-sdk/tree/piplabs/v0.50.10

Smart Contract Layer: Proof of Creativity Smart Contract Protocol and Periphery

Payout Matrix:

Payments will be in $IP tokens, denominated in USD at the time of submission.

Severity	Impact	Reward
Critical	Protocol critical loss of funds and/or IPAsset property. Total denial of service caused by errors in the protocol smart contracts. Governance takeovers for protocol critical roles	$50,000 - $150,000
High	Non protocol-critical loss of funds and/or IPAsset property. Partial denial of service caused by errors in the protocol smart contracts	$10,000 - $50,000
Medium	Moderate impact on usability, monetary losses, or integrity	$2,000 - $10,000
Low	Small impact, minor exploit that does not affect security	$500 - $2,000
Informational	No direct security impact, but best practice improvements	$0 - $100

Repos

• https://github.com/storyprotocol/protocol-periphery-v1
• https://github.com/storyprotocol/protocol-core-v1

App Layer: Website, Apps and APIs:

• .storyprotocol.xyz
• .storyrpc.io
• .storyprotocol.net
• .story.foundation
• .storyapis.com
• .piplabs.xyz

Payout Matrix:

Payment will be in $IP tokens, denominated in USD at the time of submission.

Severity	Impact	Examples	Reward
Critical	Full compromise of wallets, infrastructure, or API security	Account takeover, Private key leakage, RCE on production systems, SSRF leading to internal network access, database dumps with sensitive data, critical auth bypass, takeover of Story Protocol's cloud environment (e.g., AWS, GCP, Azure)	$3000 - $30000
High	Major security impact but no full compromise	High-impact IDOR, significant authentication/authorization bypass, stored XSS affecting admin or privileged users, SSRF leading to internal metadata exposure, high-severity API leaks	$1500 - $3000
Medium	Moderate security impact with limited scope	Low-impact IDOR, reflected/stored XSS affecting standard users, moderate API misconfigurations, rate-limiting bypasses that allow mass account enumeration, sensitive information exposure in error messages	$500 - $1500
Low	Minor security misconfigurations with limited real-world impact	Self-XSS, missing security headers, lack of HTTP-only or secure flags on cookies, rate-limiting bypass on non-sensitive endpoints	$100 - $500
Informational	No immediate security impact, but good security hygiene	Minor misconfigurations, DNS record leaks, outdated libraries (with no PoC exploit), security best-practice suggestions	$0

Out of Scope:

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Entries generated with ChatGPT/LLM tools.
• Entries without any working POC.
• Previously known vulnerabilities (resolved or not) on the Ethereum network (and any other fork of these).
• Previously known vulnerabilities in Tendermint, cosmos-sdk and or/any other fork of these.
• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage.
• Impacts caused by attacks requiring access to leaked keys/credentials.
• Impacts caused by attacks requiring access to privileged addresses (governance and other RBAC roles) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible.
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production.
• Issues reported in the previous Cantina Competition. Report available soon.
• Issues from our previous security audits.
• Feature requests and best practice recommendations.
• Social engineering and phising.

Smart Contracts/Blockchain

• Incorrect data supplied by third party oracles.
• Impacts requiring basic economic and governance attacks (e.g. 51% attack).
• Lack of liquidity impacts.
• Impacts from Sybil attacks.
• Impacts involving centralization risks.
• 3rd party asset drainers that use phishing and ERC20/ERC721 approve() or other standard methods.

Website and Apps

• Theoretical impacts without any proof or demonstration.
• Impacts involving attacks requiring physical access to the victim device.
• Impacts involving attacks requiring access to the local network of the victim.
• Reflected plain text injection (e.g. url parameters, path, etc.).
• This does not exclude reflected HTML injection with or without JavaScript.
• Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
• Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
• Stack traces & error messages (unless they leak sensitive information).
• Captcha bypass using OCR without impact demonstration.
• Impacts causing only the enumeration or confirmation of the existence of users or tenants.
• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
• Lack of SSL/TLS best practices.
• Impacts that only require DDoS.
• UX and UI impacts that do not materially disrupt use of the platform.
• Impacts primarily caused by browser/plugin defects.
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
• Publicly accessible .git directories (if no sensitive files are exposed).
• SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
• Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
• Clickjacking on non-sensitive pages (e.g., informational pages).
• Self-XSS (XSS that only affects the person reporting it).
• CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
• CORS misconfigurations that do not allow credential theft or sensitive data exposure.
• Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
• Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
• Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
• Session fixation (not relevant if the system uses stateless authentication like JWTs).

Program Rules

• Theoretical entries, entries without any working POC and ones generated with ChatGPT/LLM tools will be discarded. Any medium or higher severity vulnerabilities should come with a working POC that can be demonstrated on a local test environment that can be reproduced with the instructions in the appendix.
• You must send a clear and concise textual description of vulnerability, along with steps to reproduce the issue and/or a Proof of Concept, include attachments such as screenshots or proof of concept code as necessary.
• Avoid using web application scanners for automatic vulnerability searching which generates massive traffic.
• Make every effort not to damage or restrict the availability of products, services, or infrastructure.
• Avoid compromising any personal data, interruption, or degradation of any service.
• Don't access or modify other user data, localize all tests to your accounts.
• Perform testing only within the scope.
• Don't exploit any DoS/DDoS vulnerabilities, social engineering attacks, or spam.
• Don't spam forms or account creation flows using automated scanners.
• Don't break any law and stay in the defined scope.
• Any details of found vulnerabilities must not be communicated to anyone who is not Cantina Team or an authorized employee of Piplabs or Story Foundation without appropriate permission.
• In case that your findings is valid you will be asked for KYC verification to proceed with payments.

Eligibility

We are happy to thank everyone who submits valid reports which help us improve the security. However, only those that meet the following eligibility requirements may receive a monetary reward:

• Current employees ,vendors (auditors), partners and contractors of Story Protocol and Story Foundation are not eligible to participate in the bug bounty program.
• Former employees and contractors of Piplabs and Story Foundation, who ceased working with the aforementioned entities must wait 6 months before they are eligible to participate in the bug bounty program.
• Sanctioned individuals and/or organizations are not eligible to participate in the bug bounty program. These restrictions are put in place to ensure the objectivity of the bug bounty program and to prevent any potential conflicts of interest.
• You must be the first reporter of a vulnerability.
• The vulnerability must be a qualifying vulnerability
• Any vulnerability found must be reported no later than 24 hours after discovery and exclusively through Cantina.

Disclosure Guidelines

• Do not discuss this program or any vulnerabilities (even resolved ones) outside of the program without express consent from the organization.
• No vulnerability disclosure, including partial is allowed for the moment. The team will disclose the vulnerability publicly when safe, thanking the researcher if they choose to.

Response Times

• Critical: Response within 24 hours.
• High:- Response within 48 hours.
• Medium: and Low - Response within 72 hours.

Kiln On-Chain (v2) enables non-custodial platforms to propose an ETH staking offer where users can stake any amount of ETH on operator pools while remaining the only one able to access their staked assets.

The goal of these Ethereum Smart Contracts is to enable:

• Operator to register its validation keys deposit data on their operator vFactory Smart Contract
• Operator to propose deposit services like pooling on top of their vFactory
• Integrators to propose white-labelled staking offers on top of operator pools with their Smart Contract
• Users to deposit any amount of ETH to be staked
• Enable Integrators, Operators to have a performance fee dispatched on-chain

This Bug Bounty is focused on Kiln On-Chain v2 Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope but can be submitted at [email protected].

For more information about Kiln On-Chain, please visit https://www.kiln.fi/kiln-on-chain

Smart Contracts in Scope

Smart Contract	Link
Nexus	0x8a113da63f02811e63c1e38ef615df94df5d9e70
Factory (Coinbase Cloud)	0x2d5e65ff87d986d18ac224e725dc654bec3a04cd
Pool (Coinbase Cloud Pool)	0x8eea6cc08d824b20efb3bf7c248de694cb1f75f4
Oracle Aggregator (Coinbase Cloud Pool)	0x4e6a0740aa4c89c7e36c430afe3dd3bec68b6aec
Pool (Coinbase Cloud Pool)	0xd54ede626441ae514b15743d6a78a74c664b30a2
Oracle Aggregator (Coinbase Cloud Pool)	0x99a6d933bd22040136b7ccd5dbc3acdf2c103be6
Factory (Kiln)	0xc63d9f0040d35f328274312fc8771a986fc4ba86
Pool (Kiln Pool)	0x00a0be1bbc0c99898df7e6524bf16e893c1e3bb9
Oracle Aggregator (Kiln Pool)	0xd9f56e8a1b159b1482ec3bb6ce742fa5ce084f4c
factoryHatcher	0xa748ae65ba11606492a9c57effa0d4b7be551ec2
treasuryHatcher	0x48005e62373277fbbe5584b351830b1b2ec1e3fd
poolHatcher	0x1d6103243d0507a9d1314bac09379bf57a5cf155
withdrawalRecipientHatcher	0x066b6c3fca9034395068eb9d442ee5041eac33dc
execLayerRecipientHatcher	0xdac8cf86ca42185ebce7ed2dbec9bc2be1734ffc
coverageRecipientHatcher	0x24d6e12fa25b7f8fc6b4bba0ea77fc643d7210d3
oracleAggregatorHatcher	0xc2c48fbfec0e61683133aaff32c9c2e98fd17788
exitQueueHatcher	0x24a1dfebaec4e501c2152a5e4a434b236fce3d3b
ONTO Wallet Staked ETH (owsETH)	0x0a3d5e898fa7e7d593a940486095c156c01a0b0c
Staking Rewards Partial ETH (srpETH)	0x18099b65842cada4d87075920986559d9216a5bf
On-Chain Staked Ethereum (ocsETH)	0x2401c39d7ba9e283668a53fcc7b8f5fd9e716fdf
CDP Staked ETH (CDPstakedETH)	0x2e3956e1ee8b44ab826556770f69e3b9ca04a2a7
Coinbase Wallet Staked ETH (cbwsETH)	0x30a4aa1d14d44f0f5bfe887447ab6facc94a549f
CoolWallet Staked ETH (cwstETH)	0x42ecf9bde9078d659663da66b97c4823f762005e
Crypto.com Defi Wallet ETH (cdwETH)	0x437636e4b984eae19045626aa269a89f906cf96c
Walletverse Staked ETH (wvETH)	0x594db36d6f3e747f2c7675659f712bf4d72a9f97
Giddy Wallet Staked ETH (GiddyETH)	0x5b1c9ee05794e9667806f1bd1c6ae6d196498183
Pooled Staked ETH (psETH)	0x5db5235b5c7e247488784986e58019fffd98fda4
Bitnovo Staked ETH (bnETH)	0x61ac42269d0035cd86c52b6c5bb299daa73c7135
CDP Staked ETH (CDPstakedETH)	0x7d4b92522df1c7d211cbab49148d9d260b5a5e41
Dakota Kiln Staked ETH (dkETH)	0x9995f241c6a0d5b712281dfd3bd0e0289a5f2a98
MEW_Coinbase Staked ETH (MEWcbETH)	0xba1613cf1ff0d7307315f1d98465e27877ad3f02
Veno Kiln staked ETH (VenoKilnETH)	0xe5faa3fcc7729c3ac7b4571207bb5978e5c33e81

Documentation for the assets provided in the table can be found at

• https://docs.kiln.fi/v1/kiln-products/on-chain/pooled-staking

Severity Definitions

Smart Contracts severity levels

Severity level	Impact: High	Impact: Medium	Impact: Low
Likelihood:high	Critical	High	Medium
Likelihood:medium	High	Medium	-
Likelihood:low	Medium	-	-

Critical: - Complete loss of funds or permanent freezing of funds

High: - Theft of unclaimed yield, commission/fees or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).

Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption

A PoC is required for the following severity levels:

• Smart Contract:
  • Critical
  • High
  • Medium

Rewards

Rewards for Smart Contract Bugs

Severity	Reward Amount
Critical	$500,000
High	$50,000
Medium	$20,000

Reward Levels

• Critical: Upto 500,000, Minumum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided

• High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.

• Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.

• The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.

Out of Scope

These impacts are out of scope for this bug bounty program. General:

• Consequences resulting from exploits the reporter has already carried out, which lead to damage.
• Issues caused by attacks that require access to leaked keys or credentials.
• Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
• Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
• References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.

Smart Contracts:

• Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
• Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
• Problems related to insufficient liquidity.
• Issues stemming from Sybil attacks.
• Concerns involving risks of centralization.
• Suggestions for best practices.

Roles:

• Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.

Known Issues

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

• https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Disclosure

Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:

• Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
• Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
• During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
• After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
• The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
• If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.

Eligibility

Security researchers who fall under any of the following are ineligible for a reward

• Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.

KYC

The following information is required for payments:

• If the claim comes from an individual:
  • The first names, surnames, date and place of birth of the person concerned
    • A Valid ID
  • If the claim comes from a business:
    • Legal form, name, registration number and address of the registered office
    • Valid certificate of incorporation
    • List of shareholders/directors

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Any denial of service attacks that are executed against project assets
• Automated testing of services that results in a denial of service
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
• Attempting phishing or other social engineering attacks against our employees and/or customers

Kiln DeFi enables non-custodial platforms to propose DeFi yield products (like lending supply or rwa distributor) where users can deposit any amount of ERC20 on a vault while remaining the only one able to access their staked assets.

The goal of these EVM Smart Contracts is to enable:

• Users to deposit to supported protocols with a common 4626 interface
• Enable Integrators, and any third parties enabled by the integrator to have a fee on the rewards generated or on the deposit, dispatched on-chain

This Bug Bounty is focused on Kiln DeFi Smart Contracts only, all items regarding dApps or indexing / reporting stacks are out of scope but can be submitted at [email protected].

For more information about Kiln DeFi, please visit https://www.kiln.fi/defi

Smart Contracts in Scope

Ethereum mainnet

Smart Contract	Link
Vault Implementation	0x1d7f221965e68475d44d1a8357f3211799b55e24
VaultUpgradeableBeacon	0x15f7f910e5a8c86e609fd11c58f7342d86d3a25c
ConnectorRegistry	0xEEEBc7537717a39b747015FEaE221C1F069daE0b
VaultFactory	0xA59a98872393BE8410C42f8EED13821fa85A32a1
AaveV3Connector	0x0D97Fa6C8F668E98C1ED9f6bB9Ec6d245d11DF41
CompoundV3Connector	0xF259CF58d4ddc9E3C8AbEA3EEBA5710db3F71045
CompoundV3MarketRegistry	0x08f80358Ce68363Ec06304cE667F1727246C852D
SDAIConnector	0xb569824646a31fc950abe23B150d020c38B59D26
Proxy (Bitcoin.com Spark DAI vault)	0xF4918Ef824a242602E0d3e5DB07fFd4DaC4ad3Ea

BNB mainnet

Smart Contract	Link
Vault Implementation	0x59d323355F4b257097e041C4776b7492Ed294Ea4
VaultUpgradeableBeacon	0x50006F2C5C914cEF560ceeD7686f038480199202
ConnectorRegistry	0xdaAd68A24d658F8e123b8620Fd8249C340749eCf
VaultFactory	0x004074879Bc69E9B95084580A6Cc132a19b7A3Ac
AaveV3Connector	0x124d426898eF174aa8D23f548fCfd13c34F91D2B
Proxy (Cool Wallet AaveV3 USDT)	0x4d1806C26A728f2e1b82b4549b9E074DBE5940B9

Arbitrum mainnet

Smart Contract	Link
Vault Implementation	0x55Ee64c446c44e2bDcbD4242341D4a5A2DD61034
VaultUpgradeableBeacon	0xB03DDF4375E879B8E3bc240527bc55988c975ac4
ConnectorRegistry	0x75df468D9Aa3438cd12d98606Bb71B73145e9972
VaultFactory	0xd717eDe67EE3c5cAf385E392f2176c320E06Dd9d
AaveV3Connector	0x431ED6d951C0d97D9B33Fb5e26Bc589D75C3D05d
CompoundV3Connector	0x0F3Fa73dcF101F328AbFdD9176Cd11a16BD7bc16
CompoundV3MarketRegistry	0x9cb057f462BBd076E5dD30C5f5d5dfa97ab006D3
Proxy (Bitnovo Compound v3 USDC)	0x19A0F016Ac3989e754ab8216810beD8503bDA37e

Polygon mainnet

Smart Contract	Link
Vault Implementation	0xD04a891b7d4c42f51FCF6e88e47800dAec5B0CbF
VaultUpgradeableBeacon	0x89312A13D978820F15bC9414ef6ec9cC004C5D1f
ConnectorRegistry	0xB55BCCcc4837FD5E960944cf2828e202deBF0891
VaultFactory	0x8cC927d0CFb6F9ddC4E6d20f5e5d23E8162eA602
AaveV3Connector	0xa85aa46892D9a0087B59883F417bF23C3Ab4c920
Proxy (Cool Wallet AaveV3 USDT)	0x03441c89e7b751bb570f9dc8c92702b127c52c51

Optimism mainnet

Smart Contract	Link
Vault Implementation	0x4094fc930CcFe3fc3A9369BE7335467dac8b20fa
VaultUpgradeableBeacon	0xE1CacE168150265E1b1bC6E9c1636B747928a1D8
ConnectorRegistry	0x30cD15434d0d979b75ACe5116199d26623F6A804
VaultFactory	0xC65f4f4E6eFaeB68F900B90AfB00bF9D5A71D102
AaveV3Connector	0x35a60d4bDeedb3d6103ae1521cd985C649D81297
Proxy (Dakota AAVE v3 USDC)	0xb9ebff375d5eade50ed561f611754902f70e34cf

Documentation for the assets provided in the table can be found at https://docs.kiln.fi/v1/kiln-products/defi.

Severity Definitions

Smart Contracts severity levels

Severity level	Impact: High	Impact: Medium	Impact: Low
Likelihood:high	Critical	High	Medium
Likelihood:medium	High	Medium	-
Likelihood:low	Medium	-	-

Critical: - Complete loss of funds or permanent freezing of funds

High: - Theft of unclaimed yield, or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).

Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption - Theft of any commission/fees

A PoC is required for the following severity levels:

• Smart Contract:
  • Critical
  • High
  • Medium

Rewards

Rewards for Smart Contract Bugs

Severity	Reward Amount
Critical	$500,000
High	$50,000
Medium	$20,000

Reward Levels

• Critical: Upto 500,000, Minimum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.

• High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.

• Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.

• The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.

Out of Scope

These impacts are out of scope for this bug bounty program. General:

• Consequences resulting from exploits the reporter has already carried out, which lead to damage.
• Issues caused by attacks that require access to leaked keys or credentials.
• Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
• Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
• References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.

Smart Contracts:

• Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
• Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
• Problems related to insufficient liquidity.
• Issues stemming from Sybil attacks.
• Concerns involving risks of centralization.
• Suggestions for best practices.

Roles:

• Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.

Known Issues

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

• https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Disclosure

Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:

• Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
• Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
• During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
• After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
• The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
• If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.

Eligibility

Security researchers who fall under any of the following are ineligible for a reward

• Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.

KYC

The following information is required for payments:

• If the claim comes from an individual:
  • The first names, surnames, date and place of birth of the person concerned
    • A Valid ID
  • If the claim comes from a business:
    • Legal form, name, registration number and address of the registered office
    • Valid certificate of incorporation
    • List of shareholders/directors

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Any denial of service attacks that are executed against project assets
• Automated testing of services that results in a denial of service
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
• Attempting phishing or other social engineering attacks against our employees and/or customers

Introduction

Injective is a lightning fast interoperable layer one optimized for building unmatched Web3 finance applications. Injective is incubated by Binance and is backed by prominent investors such as Jump Crypto, Pantera and Mark Cuban. The goal of this Bug Bounty Program is to encourage responsible security research by providing incentives for finding and reporting vulnerabilities in Injective’s codebase and related systems. By participating in this Program, you help us maintain a safe, secure, and reliable environment for our users.

Scope

In-Scope Targets

• Core Contracts

  • https://github.com/InjectiveFoundation/injective-core
  • https://github.com/InjectiveLabs/peggo/blob/master/solidity/contracts/Peggy.sol
  • https://github.com/InjectiveLabs/swap-contract

• Web Interface / Application:

  • https://injective.com/
  • https://helixapp.com/
  • https://mito.fi/
  • https://hub.injective.network/

If you discover a vulnerability in any component not explicitly listed but which poses a risk to user funds, user data, or system integrity, you may submit it for consideration. Our team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

Vulnerabilities found in vendor systems such as Cosmos-SDK, IBC, CometBFT and CosmWasm fall outside this policy and should be reported to the respective vendor following their disclosure policy (if any).

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Optimism, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Reports must incude:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

• To be eligible for a reward, you must:
  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Core Smart Contract Code:

Risk Score	Payout Range
Critical	Up to $500,000
High	Up to $100,000
Medium	Up to $25,000
Low	Discretionary

• Web Interface / Frontend:

Risk Score	Payout Range
Critical	Up to $50,000
High	Up to $30,000
Medium	Up to $10,000
Low	Discretionary

Note: Actual reward amounts are determined at Injective’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.

Other Terms

By submitting a report, you grant Injective the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Injective. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.

Chronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.

Scribe's technical documentation at docs/ provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.

chroniclelabs.org

Smart Contracts in Scope

Scribe

chronicleprotocol/scribe/tree/v2

In scope:

• everything in src/
• special focus for us:
  • Unauthorized auth access
  • Unauthorized addition or removal of validator/feed
  • Being able to report a malicious price update
  • Constructing a non-challengeable, invalid opPoke
  • No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments

Severity Definitions

Severity level	Impact: High	Impact: Medium	Impact: Low
**Likelihood:high**	Critical	High	Medium
**Likelihood:medium**	High	Medium	-
**Likelihood:low**	Medium	-	-

Smart Contracts

Severity level	Impact: High	Impact: Medium
Likelihood:high	$400,000.00	$30,000.00
Likelihood:medium	$30,000.00	$10,000.00

Out of Scope (all repositories)

Known Issues

Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.

• Find previous security reviews here
• Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.

Threshold USD is a decentralized protocol that enables you to borrow thUSD, a stablecoin soft-pegged against USD and backed by ETH and tBTC as collaterals with a minimum collateral ratio of 110%. Originated as a modified fork of Liquity Protocol, Threshold USD was built to be self-sustained through a PCV ("Protocol Controlled Value"). There is no equivalent of LQTY token in Threshold USD. Instead all revenues accrue into the PCV. Since there is no token, Bootstrapping is completed through an Initial Protocol Loan. The result of the protocol owning its own liquidity ("PCV"), is a more predictable trajectory and a sustainable long-term product. The stability pool is funded by the PCV instead of user deposits, so no funds are wasted on rewards and those funds can instead be re-injected into the stability pool. As the protocol grows and accrues fees, the stability pool will be consistently topped up.

For more information about thUSD, please visit https://app.thresholdusd.org/

Visit the docs for a complete project overview.

Smart Contracts in Scope

Smart Contract	Link
THUSDToken	https://etherscan.io/address/0xCFC5bD99915aAa815401C5a41A927aB7a38d29cf
BorrowerOperations (tBTC)	https://etherscan.io/address/0xf5e4fFeB7d2183B61753AA4074d72E51873C1D0a
StabilityPool (tBTC)	https://etherscan.io/address/0xF6374AEfb1e69a21ee516ea4B803b2eA96d06f29
TroveManager (tBTC)	https://etherscan.io/address/0xfC7d41A684b7dB7c817A9dDd028f9A31c2F6f893
PCV (tBTC)	https://etherscan.io/address/0x097f1ee62E63aCFC3Bf64c1a61d96B3771dd06cB
PriceFeed (tBTC)	https://etherscan.io/address/0x83aE3931C5D03773755311372c0737F856657a43
bLens (tBTC)	https://etherscan.io/address/0x65222d72f13860913fEF03f088c385Cbfc11A50c
BAMM (tBTC)	https://etherscan.io/address/0x1f490764473eb1013461D6079F827DB95d8B4DC5
SortedTroves (tBTC)	https://etherscan.io/address/0xA5626CBA9A4448019e73CE59784bD22736986711
ActivePool (tBTC)	https://etherscan.io/address/0x4dbcb0cFf525B91E8b9D18b224c1B45feF008549
CollSurplusPool (tBTC)	https://etherscan.io/address/0x3BEC529c86317C64305dc161998Fb7f40078F200
multiTroveGetter (tBTC)	https://etherscan.io/address/0xd74DFFDC614b84610329AF4707D8Dcc484c735d0
DefaultPool (tBTC)	https://etherscan.io/address/0xbe037954B419676904117F0D7d7e15f78FF1Bf4B
GasPool (tBTC)	https://etherscan.io/address/0x8a7C0b18FB80Bd0a1d3530262B15264278e5f64D
HintHelpers (tBTC)	https://etherscan.io/address/0x2249e86a4b99EcCC081600C11B2B30FF64202f55
TellorCaller (tBTC)	https://etherscan.io/address/0x0278aC7067F66a66a91466cd420f6F8Efae15C32
BorrowerOperations (ETH)	https://etherscan.io/address/0x874a8ee5b4Cc0B9973c7c002FA891fc28666cAA9
StabilityPool (ETH)	https://etherscan.io/address/0xA18Ab4Fa9a44A72c58e64bfB33D425Ec48475a9f
TroveManager (ETH)	https://etherscan.io/address/0x27D7D02AED6C4F95Ada2faf02DcCB9666D3abB8C
PCV (ETH)	https://etherscan.io/address/0x1a4739509F50E683927472b03e251e36d07DD872
PriceFeed (ETH)	https://etherscan.io/address/0x684645ccAB4d55863A149C52eC3176051Cdb732d
bLens (ETH)	https://etherscan.io/address/0xf21AcB3C2E8418fc5466bc794f9970df7255aE28
BAMM (ETH)	https://etherscan.io/address/0x920623AcBa785ED9a70d33ACab53631e1e834675
SortedTroves (ETH)	https://etherscan.io/address/0xE5Ada07ACE9412A623B0A282Cd67d16a3a094E17
ActivePool (ETH)	https://etherscan.io/address/0xE922B5591Da479a559b25261BD6Dc8f89cA1A29d
multiTroveGetter (ETH)	https://etherscan.io/address/0x8836b66727bbde25974110442Bb46B7a4805B36c
CollSurplusPool (ETH)	https://etherscan.io/address/0x67dbd2ad541c61d37F17B0515d2e452e04597A36
DefaultPool (ETH)	https://etherscan.io/address/0xa8BdAb0F0D3f5Cd04d29df5f4ba6B43d7cdb7Ba9
GasPool (ETH)	https://etherscan.io/address/0x34Fbfd06Cb537aBd1a75E91A9Cf7F5B61B47eCa6
HintHelpers (ETH)	https://etherscan.io/address/0xF3dA35dd10Ed653Fd66Eb03D349EDfD139521Df5
TellorCaller (ETH)	https://etherscan.io/address/0xD1ACC73E5617EA6a4676C534b266193Ac633DeA2
RedStone Adapter (ETH)	https://explorer.gobob.xyz/address/0x3318adE690b5A1029c2dF032FCe52D455e437514
RedStone Adapter (tBTC)	https://explorer.gobob.xyz/address/0x87C80adC0E1cf4696B8850c8aE7B43Eb2781Ba1f
Frontend-dev	https://github.com/Threshold-USD/dev/tree/thUSD/packages/dev-frontend

• All code of thUSD can be found at https://github.com/Threshold-USD/dev/tree/thUSD.

Severity Definitions

Smart Contracts severity levels

Severity level	Impact: High	Impact: Medium	Impact: Low
Likelihood:high	Critical	High	Medium
Likelihood:medium	High	Medium	Low
Likelihood:low	Medium	Low	-

• Critical:

  • Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Protocol insolvency

• High:

  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
  • Temporary freezing of funds for more than 1 week

• Medium:

  • Smart contract unable to operate due to lack of token funds
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Unbounded gas consumption

• Low:

  • Contract functions affected but does not result in loss of fund or impact severely

Website and application severity levels

• Critical:

  • Gaining access to sensitive data or files from an active server, such as:
    • /etc/shadow,
    • Passwords and private keys (excluding non-sensitive environment variables, open-source code, or usernames).
  • Performing authenticated, state-modifying actions (with or without blockchain state interaction) on behalf of other users without their consent.
  • Subdomain takeover that allows interactions with an already-connected wallet.
  • Direct theft of user funds.
  • Malicious activities involving an already-connected wallet, such as:
    • Altering transaction arguments or parameters,
    • Replacing contract addresses,
    • Executing malicious transactions.

• High:

  • Injecting or modifying static content on the target application without using JavaScript (Persistent), including:
    • HTML injection without JavaScript,
    • Replacing existing text with arbitrary content,
    • Uploading arbitrary files, etc.
  • Subdomain takeover without interactions involving an already-connected wallet.
  • Causing the application or website to become unavailable or go offline.

A PoC is required for the following severity levels:

• Smart Contract - All severities
• Web/App - Critical
• Web/App - High
• Web/App - Medium

Rewards

Rewards for Smart Contract Bugs

Severity	Reward Amount	PoC Required
Critical	$250,000	Yes
High	$20,000	Yes
Medium	$2,000	Yes
Low	$1,000	Yes

Reward Levels

• Critical: Upto $250,000, Minumum payout$7,500 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited
• High: Upto $20,000, Minimum payout$5,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited.

Rewards for Website & Application

Severity	Reward Amount	PoC Required
Critical	$10,000	Yes
High	$5,000	Yes
Medium	$1000	Yes

Reward Levels

• Critical: Upto $10,000, Minumum payout$5,000 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited

• High: Upto $5,000, Minimum payout$1,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited

Out of Scope

These impacts are out of scope for this bug bounty program. General:

• Consequences resulting from exploits the reporter has already carried out, which lead to damage.
• Issues caused by attacks that require access to leaked keys or credentials.
• Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
• Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
• References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.

Smart Contracts:

• Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
• Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
• Problems related to insufficient liquidity.
• Issues stemming from Sybil attacks.
• Concerns involving risks of centralization.
• Suggestions for best practices.

Web/App:

• Theoretical issues that lack proof or demonstration.
• Attacks requiring physical access to the victim's device.
• Problems requiring access to the victim's local network.
• CSRF issues without any state-changing security impact (e.g., logout CSRF).
• Disclosure of non-confidential server-side information, such as IP addresses, server names, or stack traces.
• Issues that only confirm the existence of users or tenants.
• Problems that involve vulnerabilities requiring unsolicited user actions that are outside normal app workflows.
• Lack of SSL/TLS best practices.
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) issues.
• User experience (UX) or user interface (UI) issues that do not significantly disrupt platform usage.
• Issues primarily caused by browser or plugin defects.
• Leakage of non-sensitive API keys (e.g., Etherscan, Infura, Alchemy).
• Misconfigured SPF/DMARC records.
• Missing HTTP headers without a demonstrated impact.
• Automated scanner reports that do not demonstrate an impact.

Known Issues

thUSD has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.

• Cantina Managed audit report
• Mixbytes for BAMM Contract Audit Report
• Mixbytes Audit Report - General

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

• https://github.com/Threshold-USD/dev/issues

• https://github.com/Threshold-USD/dev#known-issues

• https://github.com/liquity/dev/issues

• https://github.com/backstop-protocol/dev/blob/409ece756492f97197101c8266fdc025021caff6/README.md#pricefeed-limitations-and-known-issues

• Other known issues:

  • Rounding errors in BAMM are considered economically unfeasible for exploitation and an intentional behavior

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Any denial of service attacks that are executed against project assets
• Automated testing of services that results in a denial of service
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.

Panoptic is a decentralized and permissionless options trading protocol built on Uniswap V3 and V4. We’ve taken a new and innovative approach that allows us to adapt a novel form of perpetual options into a DeFi protocol with oracle-free settlement. Instead of relying on thin and centralized order books, Panoptic takes the form of an advanced lending market for Uniswap positions.

Uniswap V3 and V4 LP positions have payoff curves that are strikingly similar to those of traditional sold (short) puts. Fees collected by positions are essentially a streaming options premium (which Panoptic calls streamia) that compensate Uniswap LPs for the risks their positions carry.

The Panoptic protocol leverages this unique property of Uniswap LP positions to offer a full spectrum of options exposure to every Uniswap V3 pool in existence and many Uniswap V4 pools. Because Uniswap LPs have payoffs similar to selling options, we can create a payoff similar to buying an option by enabling traders to borrow Uniswap V3/V4 positions from LPs and short them by removing that liquidity — compensating those LPs with the fees (streamia) that would have been collected.

Similarly, options sellers can create both calls and puts by borrowing one of the tokens in a Uniswap pool and swapping them into the constituent tokens of their position. These strategies are time-tested and have been employed by savvy retail and professional traders alike.

Panoptic takes these options strategies to the next level. We created integrated, undercollateralized, and capital-efficient lending infrastructure for both ordinary tokens and Uniswap V3/V4 LPs. This infrastructure supports the management of highly advanced multi-leg positions.

This enables several firsts in the DeFi space:

• Leveraged options selling and Uniswap liquidity provision
• Leveraged options buying
• A unique commission-based fee structure that options traders will find refreshingly familiar

Scope

Smart contracts

In-Scope Targets:

• Repository: https://github.com/panoptic-labs/panoptic-v1-core
• Commit: f81567ac9b6cf1faa3c93813d1eab75c7b611ab0

• SemiFungiblePositionManager, PanopticFactory and any contracts deployed by PanopticFactory. (Contract addresses listed here)
• The contracts are only on Ethereum Mainnet and Unichain

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope

Smart contract

• Report 1

• Report 2

• Report 3

• Report 4

• Report 5

• Report 6

• Transfers of ERC1155 SFPM tokens are disabled.

• Construction helper functions (prefixed with add) in the TokenId library and other types do not perform extensive input validation. Passing invalid or nonsensical inputs into these functions or attempting to overwrite already filled slots may yield unexpected or invalid results. This is by design, so it is expected that users of these functions will validate the inputs beforehand.

• Tokens with a supply exceeding 2^127 - 1 are not supported.

• If one token on a pool is broken/does not meet listed criteria/is malicious there are no guarantees as to the security of the other token in that pool, as long as other pools with two legitimate and compliant tokens are not affected.

• Price/oracle manipulation that is not atomic or requires attackers to hold a price across more than one block (i.e., to manipulate a Uniswap observation, you need to set the manipulated price at the end of one block, and then keep it there until the next block) is not in scope

• Attacks that stem from the TWAP being extremely stale compared to the market price within its period (currently 10 minutes)

• As a general rule, only price manipulation issues that can be triggered by manipulating the price atomically from a normal pool/oracle state are valid

• Given a small enough pool and low seller diversity, premium manipulation by swapping back and forth in Uniswap is a known risk. As long as it's not possible to do it between two of your own accounts profitably and doesn't cause protocol loss, that's acceptable

• Front-running via insufficient slippage specification is not in scope

• It's known that liquidators sometimes have a limited capacity to force liquidations to execute at a less favorable price and extract some additional profit from that. This is acceptable even if it causes some amount of unnecessary protocol loss.

• It's possible to leverage the rounding direction to artificially inflate the total gross premium and significantly decrease the rate of premium option sellers earn/are able to withdraw (but not the premium buyers pay) in the future (only significant for very-low-decimal pools, since this must be done one token at a time).

• It's also possible for options buyers to avoid paying premium by calling settleLongPremium if the amount of premium owed is sufficiently small.

• Premium accumulation can become permanently capped if the accumulator exceeds the aimum value; this can happen if a low amount of liquidity earns a large amount of (token) fees

• The liquidator may not be able to execute a liquidation if MAX_POSITIONS is too high for the deployed chain due to an insufficient gas limit. This parameter is not final and will be adjusted by deployed chain such that the most expensive liquidation is well within a safe margin of the gas limit.

• It's expected that liquidators may have to sell options, perform force exercises, and deposit collateral to perform some liquidations. In some situations, the liquidation may not be profitable.

• In some situations (stale TWAP tick), force exercised users will be worse off than if they had burnt their position.

• For the purposes of this competition, assume the constructor arguments to the CollateralTracker are: 20, 2_000, 1_000, -128, 5_000, 9_000, 20, manager_address

• Depending on the token, the amount of funds required for the initial factory deployment may be high or unrealistic

• It is feasible for the share supply of the CollateralTracker to approach 2**256 - 1 (given the token supply constraints, this can happen through repeated protocol-loss-causing liquidations), which can cause various reverts and overflows. Generally, issues with an extremely high share supply as a precondition (delegation reverts due to user's balance being too high, other DoS caused by overflows in calculations with share supply or balances, etc.) are not valid unless that share supply can be created through means other than repeated liquidations/high protocol loss.

• Only pools with hooks that have the permissions `before/afterInitialize`, `before/afterDonate`, and `before/afterSwap/returnDelta` are in scope. Hooks with additional permissions can only be considered to the extent of their effects on the operation of non-hook pools and pools with approved permissions.

• Issues where losses (to a user undertaking a given action) can be avoided by setting the ITM swap flag to false (tickLimitLow < tickLimitHigh) are out of scope.

• For any PanopticPool, it should be assumed that a Uniswap V3 pool with the same tokens is used as the external oracle contract. High and Medium submissions meeting the top-100 pool criteria should use the corresponding top 100 V3 pool as the oracle contract.

• If an insolvent account wants to prevent themselves from being liquidated or prevent an account with long positions near MIN/MAX tick from being closed or prevent the full-range liquidity add during a factory deployment, they can sell tickSpacing-wide positions from another account, buy them from an insolvent account, then add more liquidity (outside the protocol) such that the maxLiquidityPerTick would be exceeded if the removed liquidity from the long positions was added back (the capital requirements for this are very low near MIN_TICK/MAX_TICK). See L-02 on Uniswap's Certora audit.

• Pausing, Upgradabilty, or enabling of fees of any of the external integrations are out of scope.

• Options sellers may be forced to forfeit premium they have earned if it is not settled by the users that purchase their options

• Pools that do not meet the criteria set here: http://docs.panoptic.xyz/docs/developers/pool-criteria

• Weird ERC20 Checklist

Feature	Supported
Missing return values	✅ Yes
Fee on transfer	❌ No
Balance changes outside of transfers	❌ No
Upgradeability	❌ No
Flash minting	✅ Yes
Pausability	❌ No
Approval race protections	✅ Yes
Revert on approval to zero address	✅ Yes
Revert on zero value approvals	✅ Yes
Revert on zero value transfers	✅ Yes
Revert on transfer to the zero address	✅ Yes
Revert on large approvals and/or transfers	❌ No
Doesn't revert on failure	❌ No
Multiple token addresses	❌ No
Low decimals (<6)	✅ Yes
High decimals (>18)	✅ Yes
Blocklists	❌ No

• Automated findings by Lightchaser
  • Panoptic report

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Panoptic, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

You must report vulnerabilities directly on Cantina. Please include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: High	Impact: Medium
Likelihood: High	Critical	High
Likelihood: Medium	High	-

Critical:

• Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Protocol insolvency
  • Once TVL exceeds $1M, switch to 25-100% of total TVL directly at risk

High:

• Theft of unclaimed yield
• Permanent freezing of unclaimed yield
• Temporary freezing of funds for more than 1 week
• Once TVL exceeds $1M switch to 1-25% TVL directly at risk

Medium:

• Smart contract unable to operate due to lack of token funds
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Unbounded gas consumption

Low:

• Contract functions affected but does not result in loss of fund or impact severely

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Rewards

Panoptic Smart contracts

Severity Level	Maximum Payout	Minimum Payout (In effect before TVL reaches $1M)
Critical	$250,000	$50,000
High	$50,000	$10,000

Other Terms

By submitting a report, you grant Panoptic the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Panoptic. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Royco Protocol allows anyone to create a market to incentivize any onchain transaction or series of transactions. Using Royco:

• Incentive Providers may create offers to incentivize users to perform the transaction(s).
• Action Providers may create offers to complete the transaction(s) and/or negotiate for more incentives.

When these two satisfy each other, the onchain transaction(s) execute atomically alongside the distribution of incentives. Royco Protocol is entirely non-custodial, trustless, and permissionless. It is also capital-efficient, allowing Action Providers to create many offers with the same assets.

For more information about Royco, please visit https://www.royco.org/

Royco provides rewards in USDC on Ethereum, denominated in USD. For more details about the payment process, please view the Rewards by Threat Level section further below.

Scope

In-Scope Targets:

• Smart Contracts:

Addresses	Contract Name
0x19112AdBDAfB465ddF0b57eCC07E68110Ad09c50	PointsFactory (ETH)
0xb316D165D01aC68d31B297F847533D671c965662	WrappedVaultFactory (ETH)
0x52341389BE638A5B8083d2B70a421f9D4C87EBcd	VaultMarketHub (ETH)
0x40a1c08084671E9A799B73853E82308225309Dc0	WeirollWallet (ETH)
0x76953A612c256fc497bBb49ed14147f24C4feB71	RecipeMarketHub (ETH)
0x07899ac8BE7462151d6515FCd4773DD9267c9911	WeirollWalletHelper (ETH)
0x19112AdBDAfB465ddF0b57eCC07E68110Ad09c50	PointsFactory (ARB)
0xb316D165D01aC68d31B297F847533D671c965662	WrappedVaultFactory (ARB)
0x52341389BE638A5B8083d2B70a421f9D4C87EBcd	VaultMarketHub (ARB)
0x40a1c08084671E9A799B73853E82308225309Dc0	WeirollWallet (ARB)
0x76953A612c256fc497bBb49ed14147f24C4feB71	RecipeMarketHub (ARB)
0x07899ac8BE7462151d6515FCd4773DD9267c9911	WeirollWalletHelper (ARB)
0x19112AdBDAfB465ddF0b57eCC07E68110Ad09c50	PointsFactory (Base)
0xb316D165D01aC68d31B297F847533D671c965662	WrappedVaultFactory (Base)
0x52341389BE638A5B8083d2B70a421f9D4C87EBcd	VaultMarketHub (Base)
0x40a1c08084671E9A799B73853E82308225309Dc0	WeirollWallet (Base)
0x76953A612c256fc497bBb49ed14147f24C4feB71	RecipeMarketHub (Base)
0x07899ac8BE7462151d6515FCd4773DD9267c9911	WeirollWalletHelper (Base)
0x19112adbdafb465ddf0b57ecc07e68110ad09c50	PointsFactory (Plume)
0x75e502644284edf34421f9c355d75db79e343bca	WrappedVaultFactory (Plume)
0xa97ecc6bfda40baf2fdd096dd33e88bd8e769280	VaultMarketHub (Plume)
0x40a1c08084671e9a799b73853e82308225309dc0	WeirollWallet (Plume)
0x783251f103555068c1e9d755f69458f39ed937c0	RecipeMarketHub (Plume)
0x19112adbdafb465ddf0b57ecc07e68110ad09c50	PointsFactory (Corn)
0x75e502644284edf34421f9c355d75db79e343bca	WrappedVaultFactory (Corn)
0xa97ecc6bfda40baf2fdd096dd33e88bd8e769280	VaultMarketHub (Corn)
0x40a1c08084671e9a799b73853e82308225309dc0	WeirollWallet (Corn)
0x783251f103555068c1e9d755f69458f39ed937c0	RecipeMarketHub (Corn)
0x63E8209CAa13bbA1838E3946a50d717071A28CFB	Royco Cross-Chain Deposit Module (Ethereum)
0xEC1F64Cd852c65A22bCaA778b2ed76Bc5502645C	Royco Cross-Chain Deposit Module (Berachain)

Royco’s codebase can be found at https://github.com/roycoprotocol.

Documentation and further resources can be found on https://docs.royco.org/.

• Web Interface / Application:
  • https://github.com/roycoprotocol/royco-frontend-template
  • app.royco.org

Royco’s front-end codebase can be found at royco-frontend-template. Documentation and further resources can be found on https://docs.royco.org/.

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

You must report vulnerabilities directly on Cantina. Please include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity Definitions

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	-

Critical:

• Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
• Permanent freezing of >2% funds

High:

• Theft of unclaimed yield

Medium:

• Smart contract unable to operate due to lack of token funds
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Unbounded gas consumption

Low:

• Contract functions affected but does not result in loss of fund or impact severely

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Rewards

The maximum Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.

• Smart Contract Code

Severity	Maximum Payout
Critical	$250,000
High	$3,000 to $10,000

The maximum Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.

• Web App / Frontend

Risk Score	Payout Range
Critical	Up to $10,000

For critical web/apps bug reports will be rewarded only if the impact leads to:

• A loss of funds involving an attack that does not require any user action
• Private key or private key generation leakage leading to unauthorized access to user funds

Note: Actual reward amounts are determined at Royco’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Out of scope

Web3/Smart contract:

• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Impacts requiring basic economic and governance attacks (e.g. 51% attack)
• Lack of liquidity impacts
• Impacts from Sybil attacks
• Impacts involving centralization risks

WebApp/Frontend:

• Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
• Impacts caused by attacks requiring access to leaked keys/credentials
• Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
• Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
• Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
• Best practice recommendations
• Feature requests
• Impacts on test files and configuration files unless stated otherwise in the bug bounty program
• Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
• Impacts requiring phishing or other social engineering attacks against project's employees and/or customers.
• Theoretical impacts without any proof or demonstration
• Impacts involving attacks requiring physical access to the victim device
• Impacts involving attacks requiring access to the local network of the victim
• Reflected plain text injection (e.g. url parameters, path, etc.)
• This does not exclude reflected HTML injection with or without JavaScript
• This does not exclude persistent plain text injection
• Any impacts involving self-XSS
• Captcha bypass using OCR without impact demonstration
• CSRF with no state modifying security impact (e.g. logout CSRF)
• Impacts related to missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
• Server-side non-confidential information disclosure, such as IPs, server names, and most stack traces
• Impacts causing only the enumeration or confirmation of the existence of users or tenants
• Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
• Lack of SSL/TLS best practices
• Impacts that only require DDoS
• UX and UI impacts that do not materially disrupt use of the platform
• Impacts primarily caused by browser/plugin defects
• Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.)
• Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass)
• SPF/DMARC misconfigured records)
• Missing HTTP Headers without demonstrated impact
• Automated scanner reports without demonstrated impact
• UI/UX best practice recommendations

Other Terms

By submitting a report, you grant Royco the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Royco. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Level is a stablecoin protocol that issues lvlUSD, a stablecoin that is fully backed by USDC and USDT generating yield from blue-chip lending protocols like Aave and soon Morpho. Level has consistently provided higher yield than most major yield-bearing stablecoins while only generating yield from low risk lending protocols. Level also offers increased utility and capital efficiency by being deeply integrated into leading DeFi protocols like Morpho, Pendle and Spectra.

Scope

In-Scope Targets:

• Core Contracts:

  • Repository: https://github.com/Level-Money/contracts
  • Hash: 0e86345fed4e84d3cb24ed73cca5d4d11b504430
  • Files:
    • src/v2/*
    • script/v2/*
    • src/v1/lens/*
    • src/v1/lvlUSD.sol
    • src/v1/StakedlvlUSD.sol
    • src/v1/slvlUSDSilo.sol

• Web Interface / Application:

  • https://level.money
  • https://app.level.money

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Smart Contracts:

  • Any v1 directories in https://github.com/Level-Money/contracts, unless they are dependencies of v2:
    • src/v1
      • Excluding:
        • src/v1/lens/*
        • src/v1/lvlUSD.sol
        • src/v1/StakedlvlUSD.sol
        • src/v1/slvlUSDSilo.sol
    • script/v1
    • test/v1
  • Any issues surfaced in prior audits, which can be found here: https://level-money.gitbook.io/docs/technical-documentation/audits
    • Any unfixed vulnerabilities mentioned in these reports are not eligible for reward
  • Any previously-discovered bugs, including known issues that the project is aware of but has consciously decided not to “fix”, necessary code changes, or any implemented operational mitigating procedures that can lessen potential risk.
  • Every issue opened in the repo, closed PRs, previous audits or contests
  • Specific issues:
    • Informational findings, including typos, documentation discrepancies, msising events, missing zero-address checks, and non-critical missing input validation
    • Design choices related to the protocol (ie using permissioned addresses to manage reserves)
    • Issues that can be solved by the protocol updating its reserve management criteria (ex: issues caused by deploying into low-liquidity Morpho vaults, which the protocol can simply choose not to allowlist)
    • Issues that ignore trust assumptions (ie data supplied by third party oracles)
    • Issues caused by attacks requiring excessive social engineering to acquire special privileges, including leaked keys/credentials or RBAC roles, except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
    • Issues caused by Sybil attacks
    • Issues involving centralization risk
    • Any secrets/access tokens/API keys/private keys that are not being used in production
    • User errors that can be easily caught in the frontend
    • Rounding errors
    • Any errors that can be solved with a call to BoringVault.manage() by the admin timelock (ex: claiming rewards from Aave)
    • Relatively high gas consumption
    • Vulnerability stemming from extreme market turmoil
    • Dev branches
    • Suggestions for best practices
    • Known issues under remediation
    • Feature requests

• Website/App:

  • Theoretical impacts without any proof or demonstration.
  • Impacts involving attacks requiring physical access to the victim device.
  • Impacts involving attacks requiring access to the local network of the victim.
  • Reflected plain text injection (e.g. url parameters, path, etc.).
  • This does not exclude reflected HTML injection with or without JavaScript.
  • Open ports with no proven risk (e.g., port 22 open on SSH with key-based authentication).
  • Lack of security headers (e.g., missing CSP, X-Frame-Options, HSTS, unless proven to be exploitable).
  • Stack traces & error messages (unless they leak sensitive information).
  • Captcha bypass using OCR without impact demonstration.
  • Impacts causing only the enumeration or confirmation of the existence of users or tenants.
  • Impacts caused by vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows.
  • Lack of SSL/TLS best practices.
  • Impacts that only require DDoS.
  • UX and UI impacts that do not materially disrupt use of the platform.
  • Impacts primarily caused by browser/plugin defects.
  • Leakage of non sensitive API keys (e.g. Etherscan, Infura, Alchemy, etc.).
  • Any vulnerability exploit requiring browser bugs for exploitation (e.g. CSP bypass).
  • Publicly accessible .git directories (if no sensitive files are exposed).
  • SPF/DMARC issues (unless there is active email spoofing that affects Story Protocol users).
  • Outdated software without a working proof of concept (e.g., reporting "Nginx 1.18.0" without showing an exploit).
  • Clickjacking on non-sensitive pages (e.g., informational pages).
  • Self-XSS (XSS that only affects the person reporting it).
  • CSRF (Cross-Site Request Forgery) on blockchain transactions (since blockchain transactions require explicit user signing).
  • CORS misconfigurations that do not allow credential theft or sensitive data exposure.
  • Rate-limiting issues on public, non-sensitive APIs (e.g., public block explorer APIs).
  • Missing email verification (since Web3 users often rely on wallet authentication rather than email-based login).
  • Login/logout CSRF (only relevant if authentication relies solely on cookies, which is less common in Web3).
  • Session fixation (not relevant if the system uses stateless authentication like JWTs).

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Level requires KYC information, including full name, date of birth, and a copy of your passport or other government-issued ID. In addition, you must not:

• Be an OFAC-sanctioned individual or be a part of an OFAC sanctioned entity
• Reside in a country under any trade or economic sanctions by OFAC, or where the laws of the United States or local law prohibits participation
• Have been an official contributor, contractor, or employee of Level
• Be employees or individuals closely associated with Level
• Be security auditors who have participated in the audit review

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Core Smart Contract Code

Risk Score	Payout Range
Critical	Up to $200,000
High	Up to $50,000
Medium	Up to $10,000
Low	Discretionary

• Web Interface / Frontend

Risk Score	Payout Range
Critical	Up to $25,000
High	Up to $10,000
Medium	Up to $2,500
Low	Discretionary

Note: Actual reward amounts are determined at Level’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Level the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Level. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

The bug bounty program is focused on DELV's Hyperdrive smart contracts and is mostly concerned with the loss of user funds and access to those funds without user permission.

To be eligible for a reward under the DELV Bug Bounty Program, you must:

• Discover a previously unreported and non-public vulnerability that would result in a loss of or a lock on any ERC-20 token in Hyperdrive. Each bug will only be considered for a reward once. This does not include third-party platforms interacting with the system.
• Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements and the section below.
• Provide sufficient information to enable our team to reproduce and fix the vulnerability. This includes providing a PoC.
• Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
• Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than the reward subject under this Program).
• Submit only one vulnerability per submission, unless you need to bundle vulnerabilities together in order to provide an accurate assessment of impact regarding any of the vulnerabilities.
• Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
• Not be one of our current or former employees or contractors.
• Comply with all applicable laws.
  • Not be listed on any sanctions list of the United States, the United Kingdom, the European Union, or the United Nation, or directly or indirectly owned by or associated with such sanctioned person, or operating from or ordinarily resident in any jurisdiction subject to such sanctions.

Smart Contracts in Scope

delvtech/hyperdrive

Target URL	Type
StETHTarget3Deployer.sol	StETHTarget3Deployer
StETHTarget1Deployer.sol	StETHTarget1Deployer
StETHHyperdriveDeployerCoordinator.sol	StETHHyperdriveDeployerCoordinator
StETHHyperdriveCoreDeployer.sol	StETHHyperdriveCoreDeployer
StETHTarget2Deployer.sol	StETHTarget2Deployer
StETHTarget0Deployer.sol	StETHTarget0Deployer
HyperdriveDeployerCoordinator.sol	HyperdriveDeployerCoordinator
LsETHTarget2Deployer.sol	LsETHTarget2Deployer
LsETHHyperdriveDeployerCoordinator.sol	LsETHHyperdriveDeployerCoordinator
LsETHHyperdriveCoreDeployer.sol	LsETHHyperdriveCoreDeployer
LsETHTarget1Deployer.sol	LsETHTarget1Deployer
LsETHTarget3Deployer.sol	LsETHTarget3Deployer
LsETHTarget0Deployer.sol	LsETHTarget0Deployer
EzETHHyperdriveCoreDeployer.sol	EzETHHyperdriveCoreDeployer
EzETHTarget2Deployer.sol	EzETHTarget2Deployer
EzETHTarget3Deployer.sol	EzETHTarget3Deployer
EzETHTarget0Deployer.sol	EzETHTarget0Deployer
EzETHHyperdriveDeployerCoordinator.sol	EzETHHyperdriveDeployerCoordinator
EzETHTarget1Deployer.sol	EzETHTarget1Deployer
ERC4626Target0Deployer.sol	ERC4626Target0Deployer
ERC4626Target2Deployer.sol	ERC4626Target2Deployer
ERC4626Target3Deployer.sol	ERC4626Target3Deployer
ERC4626HyperdriveCoreDeployer.sol	ERC4626HyperdriveCoreDeployer
ERC4626HyperdriveDeployerCoordinator.sol	ERC4626HyperdriveDeployerCoordinator
ERC4626Target1Deployer.sol	ERC4626Target1Deployer
RETHTarget1Deployer.sol	RETHTarget1Deployer
RETHTarget0Deployer.sol	RETHTarget0Deployer
RETHHyperdriveDeployerCoordinator.sol	RETHHyperdriveDeployerCoordinator
RETHHyperdriveCoreDeployer.sol	RETHHyperdriveCoreDeployer
RETHTarget3Deployer.sol	RETHTarget3Deployer
RETHTarget2Deployer.sol	RETHTarget2Deployer
HyperdriveTarget0.sol	HyperdriveTarget0
HyperdriveTarget3.sol	HyperdriveTarget3
Hyperdrive.sol	Hyperdrive
HyperdriveTarget1.sol	HyperdriveTarget1
HyperdriveTarget2.sol	HyperdriveTarget2
StETHTarget1.sol	StETHTarget1
StETHHyperdrive.sol	StETHHyperdrive
StETHTarget2.sol	StETHTarget2
StETHTarget0.sol	StETHTarget0
StETHBase.sol	StETHBase
StETHTarget3.sol	StETHTarget3
LsETHTarget0.sol	LsETHTarget0
LsETHHyperdrive.sol	LsETHHyperdrive
LsETHBase.sol	LsETHBase
LsETHTarget1.sol	LsETHTarget1
LsETHTarget2.sol	LsETHTarget2
LsETHTarget3.sol	LsETHTarget3
EzETHHyperdrive.sol	EzETHHyperdrive
EzETHTarget0.sol	EzETHTarget0
EzETHTarget1.sol	EzETHTarget1
EzETHTarget2.sol	EzETHTarget2
EzETHBase.sol	EzETHBase
EzETHTarget3.sol	EzETHTarget3
ERC4626Target3.sol	ERC4626Target3
ERC4626Base.sol	ERC4626Base
ERC4626Target1.sol	ERC4626Target1
ERC4626Hyperdrive.sol	ERC4626Hyperdrive
ERC4626Target2.sol	ERC4626Target2
ERC4626Target0.sol	ERC4626Target0
RETHTarget0.sol	RETHTarget0
RETHHyperdrive.sol	RETHHyperdrive
RETHTarget2.sol	RETHTarget2
RETHTarget1.sol	RETHTarget1
RETHBase.sol	RETHBase
RETHTarget3.sol	RETHTarget3
HyperdriveBase.sol	HyperdriveBase
HyperdriveLP.sol	HyperdriveLP
HyperdriveStorage.sol	HyperdriveStorage
HyperdriveAdmin.sol	HyperdriveAdmin
HyperdriveCheckpoint.sol	HyperdriveCheckpoint
HyperdriveLong.sol	HyperdriveLong
HyperdriveMultiToken.sol	HyperdriveMultiToken
HyperdriveShort.sol	HyperdriveShort
HyperdriveCheckpointSubrewarder.sol	HyperdriveCheckpointSubrewarder
HyperdriveCheckpointRewarder.sol	HyperdriveCheckpointRewarder
Errors.sol	Errors
YieldSpaceMath.sol	YieldSpaceMath
Constants.sol	Constants
FixedPointMath.sol	FixedPointMath
HyperdriveMath.sol	HyperdriveMath
AssetId.sol	AssetId
SafeCast.sol	SafeCast
LPMath.sol	LPMath
HyperdriveRegistry.sol	HyperdriveRegistry
HyperdriveFactory.sol	HyperdriveFactory
ERC20ForwarderFactory.sol	ERC20ForwarderFactory
ERC20Forwarder.sol	ERC20Forwarder

Disclosure and Reporting Guidelines

To be eligible for a bounty, we require that Bug bounty hunters, security engineers, and researchers must:

• Make it a priority to avoid privacy violations, degradation of user experience, and disruption to production systems during security testing.
• Report vulnerabilities as soon as they have been discovered and keep them confidential between yourself and the DELV team. You may not use (other than as necessary to participate in this bug bounty program) and may not disclose to a third party any DELV confidential information, including identified vulnerabilities.
• Only use the Cantina.xyz bug reporting interface to report vulnerability information to us.
• Provide the team with at least 5 working days to investigate the issue and get back to you before taking any further action.
• DELV reserves the right to verify that the bounty hunter/researcher/security engineer meets these requirements and is eligible for payment.
• By reporting a vulnerability, you assign to Cantina (who assigns it to DELV) any intellectual property developed from your participation in this bug bounty program.

Severity Definitions

Smart Contracts

Severity level	Impact: High	Impact: Medium
Likelihood:high	$100,000.00 (Critical)	$20,000.00 (High)
Likelihood:medium	$20,000.00 (High)	$5,000.00 (Medium)

Critical

• Direct theft of any user funds,

High

• Any governance voting result manipulation
• Temporary freezing of funds

Medium

• Smart contract unable to operate due to lack of token funds
• Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
• Theft of gas
• Unbounded gas consumption

Low

• At the discretion of DELV

Not all bugs will be material or warrant a bounty.

Out of Scope (all repositories)

Known Issues

• all acknowledged issues in the delvtech/hyperdrive repo are considered out of scope
• all known issues in previous security reviews are considered out of scope
• (any attempted fixes, that do not remediate the issue, remain in scope if the vulnerability exists after the fix)

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.
• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist)
• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Sybil attack

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
• Any testing with pricing oracles or third party smart contracts
• Attempting phishing or other social engineering attacks against our employees and/or customers
• Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
• Any denial of service attacks
• Automated testing of services that generates significant amounts of traffic
• Public disclosure of bugs or unpatched vulnerabilities. See "Disclosure and Reporting Guidelines" above for additional protections of DELV's confidential information.

Modular Account V2 contains a suite of modular smart contract accounts and modules. Modular Account V2 is maximally secure, modular, and has the cheapest creation costs amongst ERC4337-compatible smart contract accounts.

The accounts are upgradeable, can create session keys with scoped permissions on the account, and can use gas sponsorship provided by the ERC-4337 protocol. It can be used for most smart account use cases due to high flexibility from its modular design.

Modular Account V2 contains 4 smart account implementations:

1. ModularAccount (ERC4337 compatible)
2. SemiModularAccountBytecode(ERC4337 compatible)
3. SemiModularAccountStorageOnly (ERC4337 compatible)
4. SemiModularAccount7702 (EIP-7702 + ERC4337 compatible)

The repository also contains 2 signature verification modules and 4 permissioning modules.

Scope

In-Scope Targets

Smart Contracts in Scope

Following are in-scope contracts from the github repo: https://github.com/alchemyplatform/modular-account/tree/v2.0.x

Name	Address
AccountFactory	0x00000000000017c61b5bEe81050EC8eFc9c6fecd
ModularAccount	0x00000000000002377B26b1EdA7b0BC371C60DD4f
SemiModularAccount7702	0x69007702764179f14F51cdce752f4f775d74E139
SemiModularAccountBytecode	0x000000000000c5A9089039570Dd36455b5C07383
SemiModularAccountStorageOnly	0x0000000000006E2f9d80CaEc0Da6500f005EB25A
ExecutionInstallDelegate	0x0000000000008e6a39E03C7156e46b238C9E2036
SingleSignerValidationModule	0x00000000000099DE0BF6fA90dEB851E2A2df7d83
WebAuthnValidationModule	0x0000000000001D9d34E07D9834274dF9ae575217
AllowlistModule	0x0000000000002311EEE9A2B887af1F144dbb4F6e
NativeTokenLimitModule	0x00000000000001e541f0D090868FBe24b59Fbe06
PaymasterGuardModule	0x0000000000001aA7A7F7E29abe0be06c72FD42A1
TimeRangeModule	0x00000000000082B8e2012be914dFA4f62A0573eA

Out-of-Scope

• Smart contracts not in the v2.0.x release branch are considered out of scope.

Known Issues

Known issues from previous security reviews are considered out of scope.

• Previous security reviews can be found at: https://github.com/alchemyplatform/modular-account/tree/v2.0.x/audits

Other known issues that are out of scope:

• SemiModularAccount7702: when upgrading to a SMA7702 account from an existing account, or upgrading from an SMA7702 account to a new 7702 account, if the signature format is the same in the new account, the bundler is able omit the upgrade from the auth tuple to keep the gas paid for updating the auth tuple. This can be mitigated by starting from or ending with an account with a different signature format. This would be addressed in a subsequent release.
• Deferred Actions: Bundlers or relayers can replace deferred actions with separate deferred actions. Deferred actions are meant to be used in a way such that removing it would cause a validation failure, e.g. approving ERC20 tokens to a ERC20 paymaster before the paymaster validation check, or installing a session key before validation of that session key, thus security impacts due to such usage are considered out of scope.

Specific Types of Issues

• User error: Examples include: transferring tokens or account ownership to address(0), or financial losses due to granting permissions to a malicious entity, or using a non EIP-7702 account in the EIP-7702 context. Interactions with 3rd party malicious code. Examples include: installing a faulty or malicious module.
• Bad behavior from owners. Examples include: an owner DoSing another owner of the same account.
• Security impacts to accounts due to issues in the ERC-4337 EntryPoint would not be eligible for a modular account bug bounty.
• Issues related to counterfactual addresses or cryptography attacks that are not economically viable. Examples include generating a hash collision to take over a user’s undeployed ERC-4337 account, or mining EOA addresses to collide with smart contract accounts.
• Design choices related to protocol. Examples include: two step ownership transfers.
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Prohibited Actions

• Social engineering (e.g. phishing, vishing, smishing) is prohibited.
• Live testing on public chains, including public mainnet deployments and public testnet deployments is prohibited.
  • We recommend testing on local forks, for example using foundry.
• Privacy violations, destruction of data, and actions that cause interruption or degradation of our services are prohibited. Only interact with accounts you own or with explicit permission of the account holder.
• Public disclosure of bugs without the written consent of the Alchemy team is prohibited.
• No Conflicts of Interest. Any individual who is or has ever been employed by Alchemy (or their family), or who is or has ever been a contractor of Alchemy, may not participate in the Bug Bounty. Additionally, any individual who has been involved in or contributed to the development of the code of the bug in question (or their family) may not participate in the Bug Bounty.

Eligibility

• You must discover a previously-unreported, non-public vulnerability that is not previously known by the Alchemy team and is within the scope of this bug bounty program (the “Program”).
• You must provide all KYC and other documents as requested.
• You must be the first to disclose the unique vulnerability, in compliance with the disclosure requirements. A vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program is not eligible for a reward.
• You must provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
• You cannot exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
• You cannot publicize or exploit a vulnerability in any way, other than through private reporting to us.
• You must refrain from any privacy violations, destruction of data, interruption or degradation of any of the assets or systems in scope.
• You cannot engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
• You must be at least 18 years old at the time of submission.
• You cannot reside in a country under (or otherwise be subject to) any trade or economic sanctions by the United States Treasury’s Office of Foreign Assets Control or other applicable sanctions laws, or where the laws of the United States or local law prohibits participation.
• You cannot be one of our current or former employees (or their family member), or a vendor or contractor who has been involved in the development of the code of the bug in question.
• You must comply with all the rules of the Program, including but not limited to, refraining from engaging in any Prohibited Actions.

Severity and Rewards

Risk Classification Matrix

• Smart Contracts

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Informational
Likelihood: Low	Medium	Medium	Low	Informational

Rewards given are determined by the security impact, as well as the likelihood of the security impact. All submissions need to contain a clear, reproducible and working proof-of-concept to be eligible for a reward. Any submissions that do not require a redeployment would be capped at a low or medium severity.

Impact Assessment

The impact levels provided below should only be considered guidelines as the impact of a report will be defined on a case-by-case basis solely determined by Alchemy.

Critical:

• Stealing funds or permanently freezing funds from accounts on a large scale (20+% TVL across all accounts, and/or stealing native tokens or common ERC20s)
• Loss of control or access to accounts

High:

• Stealing funds, or temporarily/permanently freezing funds from accounts at a medium scale (1-20% TVL across all accounts)
• Loss of access to important features on accounts

Medium:

• Stealing funds, or temporarily/permanently freezing funds from accounts at a smaller scale (such as gas related issues)
• Loss of access to other features on accounts
• Loss of funds, or temporarily/permanently freezing funds from the AccountFactory contract
• Loss of control or access to the AccountFactory contract

Low:

• The issue does not pose an immediate risk but is relevant to security best practices.

Likelihood Assessment

The likelihood levels provided below should only be considered guidelines as the impact of a report will be defined on a case-by-case basis solely determined by Alchemy.

• High: Affects most accounts in production. Must affect accounts in the default configuration from the factory, or for very common use cases such as session keys, and/or requires little to no privileged access.

• Medium: Affects a significant portion of accounts in production. It must also be likely under specific conditions or scenarios, or it being a reasonably common use case, or a likely configuration of the account, and/or requires little to no privileged access.

• Low: Rare but conceivable. This may cover use cases that are not in production today, or attacks that require privileged access.

Reward Ranges

Severity Level	Maximum Payout	Minimum Payout
Critical	Up to $100,000 USD	$50,000 USD
High	Up to $10,000 USD	$5,000 USD
Medium	Up to $2,000 USD	$500 USD
Low	Discretionary	Discretionary

Note: Actual reward amounts are determined at Alchemy’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting your report, you grant Alchemy any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at Alchemy’s sole discretion. The terms and conditions of this Program may be altered, and this Program may be wound down, at any time.

Cork is the protocol for tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens. It introduces Depeg Swaps, permissionless tokens representing the risk position of a certain asset losing its correlated peg. A new type of risk marketplace, in Cork the price of depeg swaps are established by the market, allowing people to gauge the market’s sentiment of a pegged assets’ stability. Depeg swaps can be bought (to get protection against an depeg or bet that a peg will hold) or sold (to bet that a peg will be lost) and create a new financial primitive to price, hedge, and trade depeg risks.

For more information about Cork, please visit https://www.cork.tech/

Scope

Assets in Scope

• Smart Contracts:

  • AssetFactory Implementation
  • AssetFactory
  • Cork Config
  • FlashSwapRouter Implementation
  • FlashSwap Router
  • ModuleCore Router Implementation
  • Module Core
  • Liquidity Token
  • Hook
  • Withdrawal
  • Exchange Rate Provider

• Web/app

  • https://app.cork.tech

Out-of-Scope Targets:

• Previous Audits
  • Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
• Impacts relying on known vulnerabilities that were publicly acknowledged by Cork through Issues or Pull Requests in any of Cork’s Public Github repositories at:
  • https://github.com/Cork-Technology.
• Impacts relying on maintenance windows that have been publicly disclosed on
  • www.cork.tech or
  • app.cork.tech
• Impacts relying on vulnerabilities within our 3rd-party code dependencies that have already been publicly disclosed by any party, including the security researcher

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Cork Protocol, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

The report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.
• Should not be on OFACs SDN list
• Should not be an official contributor, either in past or atpresent
• Should not be employees and/or individuals closely associated with the project
• Should not be security auditors that directly or indirectly participated in the audit review

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Smart Contract Code

Risk Score	Reward Amount
Critical	USD 30,000 - USD 100,000
High	USD 10,000 - USD 30,000

• Web Interface / Frontend

Severity	Reward Amount
Critical	TBD

• For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 30,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.

Repeatable Attack Limitations

• If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.

• For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.

Reward Calculation for High Level Reports

• High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10,000 to USD 30,000 depending on the funds at risk, capped at the maximum high reward.

• In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.

For critical web/apps bug reports will be rewarded with USD TBD only if the impact leads to:

• A loss of funds involving an attack that does not require any user action
• Private key or private key generation leakage leading to unauthorized access to user funds

All other impacts that would be classified as Critical would be rewarded a flat amount of USD TBD. The rest of the severity levels are paid out according to the Impact in Scope table.

Note: Actual reward amounts are determined at Cork’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Cork the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Cork. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Sablier is a powerful onchain token distribution protocol. Here are some key definitions:

The Sablier Protocol: A collection of persistent, non-upgradeable smart contracts to facilitate streaming of ERC-20 tokens on Ethereum and other EVM blockchains. The Sablier Protocol consists of Lockup, Merkle Airdrops, and Flow. The Sablier Interface: A web interface that allows for easy interaction with the Sablier Protocol. The interface is only one of many ways to interact with the Sablier Protocol. Sablier Labs: The company that develops the Sablier Protocol, the Sablier Interface, and the documentation website you are reading right now.

Scope

In-Scope Targets:
This bounty covers bugs of critical or high severity that could lead to the unauthorized transfer or loss of funds from the Sablier smart contracts.

• Airdrops at 5b06824
• Flow at e55caba
• Lockup at baf9a9e

Out-of-Scope Targets:

• Code outside the src directories.
• External code in node_modules, except code explicitly used by a deployed contract from src.
• Deployments on test networks.
• Bugs in third-party contracts or platforms interacting with the Sablier Protocol.
• Bugs that have already been reported in previous audits

Vulnerabilities contingent upon the occurrence of any of the following are also out-of-scope:

• Front-end bugs (e.g., clickjacking) and and related social engineering attacks.
• DNS configuration records.
• DDoS attacks, spamming, or phishing.
• Private key leaks.
• Automated tools (e.g., Github Actions).
• Compromise or misuse of third party systems or services.

Note: If a vulnerability is of exceptional severity, we may accept submissions involving code outside the defined scope. However, the threshold for such reports is significantly higher, and reward eligibility will be assessed on a case-by-case basis.

Protocol Assumptions

Every protocol is built with certain assumptions. You MUST adhere to them while reporting bugs. You can find protocol assumptions in the respective repositories:

1. Assumptions in Airdrop Protocol
2. Assumptions in Flow Protocol
3. Assumptions in Lockup Protocol

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Sablier, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

If a reported issue is exploited before it is fixed, the submission will not be eligible for a bounty.

Reports should be made as soon as possible - ideally within 24 hours of discovery.

Anyone who reports a unique, previously unreported vulnerability that results in a change to the code or a configuration, and who keeps such vulnerability confidential until resolution, will be recognised publicly if they choose.

Eligibility

To qualify for a reward under this Program, you MUST:

• Identify a previously unreported, non-public vulnerability within the scope of this Program that could result in the loss or freeze of any ERC-20 token in any of the Sablier Protocols (excluding third-party platforms interacting with it).
• Ensure the vulnerability is distinct from issues covered in the previous Audits.
• Be the first to report the unique vulnerability in accordance with the disclosure requirements specified above. In cases of multiple similar reports within 24 hours, rewards will be split at the discretion of Sablier Labs.
• Provide sufficient information to allow our engineers to reproduce and remediate the vulnerability.
• Refrain from any unlawful conduct when disclosing the bug (e.g., threats or coercive tactics).
• Avoid exploiting the vulnerability or profiting from it beyond the offered reward.
• Make a genuine effort to prevent privacy violations, data destruction, or any interruption or degradation of Sablier Protocol.
• Submit only one vulnerability per submission, unless chaining vulnerabilities is necessary to demonstrate the impact of any of them.
• Not submit a vulnerability that stems from an underlying issue for which a reward has already been paid under this Program.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.
• You must not be a current or former employee, vendor, or contractor of Sablier Labs, or an employee of any of its vendors or contractors.
• You must not be subject to UK sanctions or reside in a UK-embargoed country.
• Be at least 18 years old, or if underage, submit the vulnerability with the consent of a parent or guardian.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

Risk Score	Payout Range
Critical	Up to $100,000

Rewards will be allocated based on the severity and impact of the disclosed bug after a thorough assessment by the Sablier team. For critical bugs that lead to significant unauthorized fund transfers, rewards of up to $100,000 will be granted. Lower severity bugs may receive nominal rewards or none at all, as determined by the Sablier Labs team.

Note: Actual reward amounts are determined at Sablier Labs’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Sablier Labs the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Sablier Labs. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

On-chain credit platform where high-performing receivables meet with global capital.

Visit the docs for a complete project overview.

huma.finance

Smart Contracts in Scope

huma-contracts-v2

Name (address link)	Repo
huma-contracts-v2	https://github.com/00labs/huma-contracts-v2/tree/main

Excluding mocks, tests, scripts, etc. Valid issues must satisfy one of the severity definitions below.

Deployed Contracts Celo

Name	Celo Address
Calendar	0x129686C98916c7fFF9cf9110127402D070183610
HumaConfig	0x9345cc5617F906C62bE1608680B9C0FC3e7707B0
HumaConfigTimelock	0x14B067bac6039429A11baf564db90eDBcc4E27F3
PoolConfigImpl	0x7b6b28434c74E6DB5ba5c9a71eA6ff7A6D5071A5
PoolFeeManagerImpl	0x3D143343FC4bF823365A38Fb76A89754C5C22f77
PoolSafeImpl	0xd2FFCC9f6797ce2D7B503DC3287c4cc4D7fde77F
FirstLossCoverImpl	0x0D9b3ecd2B890651EF7dF65650b419a202D38FF4
RiskAdjustedTranchesPolicyImpl	0xe780653d7c03A5199B3c13b8c663fcE2CDd72562
FixedSeniorYieldTranchesPolicyImpl	0x86c3a14EE6f0B9BFeE1439a9b6eA191B565a3A0F
PoolImpl	0xa6C59ce6c1E1A519EcE7ad0Eeead31D485C7C8A9
EpochManagerImpl	0x5aF84f6c8c6738417e6081677f186839294b5eEc
TrancheVaultImpl	0xf26A071833032Ce57769fdf530E81A28f15671df
CreditLineImpl	0x73c16Db24951135BC8A628185BdbfA79115793E5
ReceivableBackedCreditLineImpl	0xE265E07F9d18Df940A75CfFfEA51211F4f0C46cC
ReceivableFactoringCreditImpl	0x2DF0091067B29Cbac6bD8C2cE15334dEFEE9738C
CreditDueManagerImpl	0xe1Bd10Bba7DF72527dB2F6955d8A731844C8bf84
CreditLineManagerImpl	0xC98dEAA52Ba4848079aA0A4e48BEA6f0AcdC542c
ReceivableBackedCreditLineManagerImpl	0xAD3FB6bB897f85125436a63a5b8c3Dfb5928Fa4e
ReceivableFactoringCreditManagerImpl	0x7EF17831D7153b085ccDEFc02373234Baec16243
ReceivableImpl	0x8920C27a3D76daA004f373f78fa1Ed01B4940FbA
LibTimelockController	0x41B1Dd4c2bbcff308Ef95210532B97DF87D8c053
PoolFactoryImpl	0x2DA34B43089F20c87770674fb7d8Fa5b5384534b
PoolFactory	0x85c8dC49B8DaA709e65dd2182e500E8AC3CaA6C7

Severity Definitions

Smart Contracts

Severity level	Impact: High	Impact: Medium
Likelihood:high	$50,000.00	$25,000.00
Likelihood:medium	$25,000.00	$10,000.00

Issues in Scope

Critical

Complete, or near complete, loss of all funds in the protocol.

High

Meaningful, but limited, loss of funds. Examples include a single pool vulnerable to complete loss of funds, or partial loss of TVL across the protocol such as 15% loss, etc.

Medium

Privilege escalation and circumventing access controls not leading to loss of funds in a way that qualifies as a higher severity.

Out of Scope (all repositories)

Known Issues

Known issues from previous security reviews are considered out of scope. (Spearbit-Security-Review)

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors. (E.g. yield calculation precision not leading to meaningful loss of funds.)
• Relatively high gas consumption.
• Centralization or admin risks.

All other issues acknowledged in the audits in the Spearbit-Security-Review

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor who currently works, or previously worked, with Huma Finance cannot participate in the Bug Bounty without prior approval. Examples include Huma contributors, security researchers who worked on Huma Finance code reviews, etc.

Size is a fixed-rate lending marketplace built on an order book where offers are expressed like yield curves, allowing efficient and continuous pricing across markets and maturities.

Scope

In-Scope Targets:

• Repository: https://github.com/SizeCredit/size-solidity
• Commit: 739250c26be314b0d74e670297a344b02be625d0
• Total LOC: 4301
• Files:: src/

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Known issues:
  • Referenced on the project README and past audit reports

Documentation

• Size Credit Docs

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Likelihood: High	Likelihood: Medium	Likelihood: Low
Impact: High	Critical	High	Medium
Impact: Medium	High	Medium	Low
Impact: Low	Medium	Low	-

Impact Definitions:

• Critical:

  • Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
  • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
  • Permanent freezing of funds
  • Protocol insolvency

• High:

  • Theft of unclaimed yield
  • Permanent freezing of unclaimed yield
  • Temporary freezing of funds for more than 1 week

• Medium:

  • Smart contract unable to operate due to lack of token funds
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Unbounded gas consumption

• Low:

  • Contract functions affected but does not result in loss of fund or impact severely

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

Risk Score	Maximum Payout	Minimum Payout (Optional)
Critical	$50,000	$10,000
High	$5,000	$1,000

Note: Actual reward amounts are determined at Size Credit’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Size Credit the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Size Credit. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Doppler is a customizable liquidity-bootstrapping protocol designed for the Uniswap Ecosystem.

Scope

In-Scope Targets:

• Core Contracts:
  • https://github.com/whetstoneresearch/doppler

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Contracts not deployed on a production (mainnet) network are out-of-scope
• Previously found issues are out-of-scope - https://cantina.xyz/portfolio/ba92f3ff-2d28-4d69-82e1-1e512a8a94c5

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Whetstone, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Core Smart Contract Code

Risk Score	Payout Range
Critical	Up to $50,000
High	Up to $25,000
Medium	Up to $5,000
Low	Discretionary

Note: Actual reward amounts are determined at Whetstone Research's sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Whetstone Research the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Whetstone Research. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Marginal is a permissionless spot and perpetual exchange that enables leverage on any asset with an Uniswap V3 Oracle.

One can think of the core mechanism of the protocol as analogous to overcollateralized short-selling with the interest payment dictated by a typical perpetual funding rate.

Visit the docs for a complete project overview.

marginal.network/

Smart Contracts in Scope

v1-core/releases/tag/v1.0.1

v1-periphery/tree/v1.0.1

Deployments: Sepolia

V1 Core:

Target URL	Type
MarginalV1Factory.sol	MarginalV1Factory
MarginalV1Pool.sol	MarginalV1Pool

V1 Periphery:

Target URL	Type
NonfungiblePositionManager.sol	NonfungiblePositionManager
Router.sol	Router
Quoter.sol	Quoter
Oracle.sol	Oracle
PoolInitializer.sol	PoolInitializer
PairArbitrageur.sol	PairArbitrageur

Severity Definitions

Smart Contracts

Severity level	Impact: High	Impact: Medium
Likelihood:high	Upto $25000	-
Likelihood:medium	-	-

Out of Scope (all repositories)

Known Issues

Known issues from previous security reviews are considered out of scope.

• v1-core
• v1-periphery

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Oracle manipulation attacks.
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.

Spearbit is a distributed network of industry-leading security researchers tackling the most complex and mission-critical protocols across web3.

Cantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.

Guidelines

1. Scope: Only vulnerabilities found on our websites

   • https://spearbit.com and its subdomains are eligible for rewards.

2. Testing: Do not perform any testing that could disrupt our services or compromise user data.

3. Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.

4. Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here

Vulnerability Rewards

Here's a general overview:

Severity	Reward Range
Critical	$20,000 - $25,000
High	$10,000 - $20,000
Medium	$1,000 - $10,000
Low	Discretionary

Severity Levels

1. Critical

   • Remote code execution
   • Unauthorized access to sensitive user data
   • Ability to perform actions as a privileged user

2. High

   • SQL injection
   • Cross-Site Scripting (XSS) with significant impact
   • Authentication bypass

3. Medium

   • Cross-Site Request Forgery (CSRF)
   • Server-side request forgery
   • Sensitive information disclosure

4. Low

   • Cross-Site Scripting (XSS) with limited impact
   • Open redirects
   • Clickjacking vulnerabilities

Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.

Out of Scope

The following activities and vulnerability types are considered out of scope for this bug bounty program:

1. Physical attacks against our employees, offices, or data centers
2. Social engineering attacks against our employees or users
3. Vulnerabilities in applications or systems not owned by us
4. Vulnerabilities requiring physical access to a user's device
5. Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

Testing Guidelines

To ensure safe and responsible testing:

1. Use only your own accounts or test accounts for testing.
2. Do not attempt to access, modify, or destroy data that does not belong to you.
3. Be mindful of testing that might impact system availability or integrity.
4. Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.

Thank you for helping us keep our platform secure!

Cantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.

Guidelines

1. Scope: Only vulnerabilities found on our websites

   • https://cantina.xyz its subdomains are eligible for rewards.

2. Testing: Do not perform any testing that could disrupt our services or compromise user data.

3. Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.

4. Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here

Vulnerability Rewards

Here's a general overview:

Severity	Reward Range
Critical	$20,000 - $25,000
High	$10,000 - $20,000
Medium	$1,000 - $10,000
Low	Discretionary

Severity Levels

1. Critical

   • Remote code execution
   • Unauthorized access to sensitive user data
   • Ability to perform actions as a privileged user

2. High

   • SQL injection
   • Cross-Site Scripting (XSS) with significant impact
   • Authentication bypass

3. Medium

   • Cross-Site Request Forgery (CSRF)
   • Server-side request forgery
   • Sensitive information disclosure

4. Low

   • Cross-Site Scripting (XSS) with limited impact
   • Open redirects
   • Clickjacking vulnerabilities

Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.

Out of Scope

The following activities and vulnerability types are considered out of scope for this bug bounty program:

1. Physical attacks against our employees, offices, or data centers
2. Social engineering attacks against our employees or users
3. Vulnerabilities in applications or systems not owned by us
4. Vulnerabilities requiring physical access to a user's device
5. Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)

Testing Guidelines

To ensure safe and responsible testing:

1. Use only your own accounts or test accounts for testing.
2. Do not attempt to access, modify, or destroy data that does not belong to you.
3. Be mindful of testing that might impact system availability or integrity.
4. Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.

If you're unsure whether a specific test is allowed, please contact us before proceeding.

Thank you for helping us keep our platform secure!

Introduction

The Nodle Network is a decentralized wireless network, composed of Nodle Edge Nodes, powered by the Nodle Chain, and the NODL token. Nodle connects the physical world to Web3 by using smartphones as edge nodes. The edge nodes read devices and sensors in the physical world using Bluetooth Low Energy (BLE) and connect that information to the blockchain. Creating a geolocation-based layer one that can be used by many unique applications built for the hyper-connected, mobile-oriented world we live in. Nodle creates an economic model that is secure, private, and scalable.

Nodle also develops the Click Camera, a unique solution to authenticate pictures using C2PA, a standard from Adobe, and NFTs.

For more information about Nodle, please visit https://www.nodle.com/ For more information about Click, please visit https://clickapp.com/

Scope

In-Scope Targets:

Target	Type
https://github.com/nodlecode/chain	Blockchain/DLT - Nodle Chain Node
https://github.com/NodleCode/rollup	Smart Contracts
https://client.nodle.com	Web/App
https://zkclient.nodle.com	Web/App
Nodle App iOS	Web/App
Nodle App Android	Web/App
Click Camera iOS	Web/App
Click Camera Android	Web/App

Impacts only apply to assets in active use by the project like contracts on mainnet or web/app assets used in production. Any impact that applies to assets not in active use, like test or mock files, are out-of-scope of the bounty program unless explicitly mentioned as in-scope.

Out-of-Scope Targets:

• Previous audits and known issues are out of scope and can be found at:

Description of Known Issue	Related Impact-in-Scope
Upstream reports to Parity Technologies, for Polkadot or related projects.	Blockchain/DLT/Web/API
Upstream reports made to OnFinality, concerning improper operation of the Nodle hosted Mainnet RPC endpoint.	Blockchain/DLT/Web/API
Upstream reports made to Matter Labs or related entities, for ZKsync or zkEVM issues.	Blockchain/DLT
Substrate Pallet Audit, Halborn, Feb. 2022	Blockchain/DLT
Secfault Security, Substrate Chain Audit, July 2020	Blockchain/DLT
Quantstamp Security Assessment Certificate, Sept. 2020	Blockchain/DLT
Resonance Security, Aug. 2024	Blockchain/DLT
Nethermind Bridge Audit, Sept. 2024	Blockchain/DLT
Matter Labs Solidity Audit, Sept. 2024	Blockchain/DLT

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Nodle Network, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Reports must incude:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

• To be eligible for a reward, you must:
  • Be the first to report a previously unknown, non-public vulnerability within scope.
  • Provide sufficient information to reproduce and fix the issue.
  • Not have exploited the vulnerability in a malicious manner.
  • Not have disclosed the vulnerability to third parties prior to receiving permission.
  • Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Blockchain

Risk Score	Payout Range
Critical	$10,000 - $20,000 USD, $NODL
High	$2,000 - $10,000 USD, $NODL

Rewards for critical Blockchain vulnerabilities are further capped at 10% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of $10,000 for Critical Blockchain/DLT bug reports.

Rewards for high Blockchain vulnerabilities are further capped at 100% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of $2,000 for High Blockchain/DLT bug reports.

• Web Interface / Frontend

Risk Score	Payout Range
Critical	$4,000 - $10,000 USD, $NODL
High	$1,000 - $4,000 USD, $NODL

Rewards for critical web/app vulnerabilities will be further capped at 10% of direct funds at risk if the bug discovered is exploited. However, there is a minimum reward of $4,000.

High web/app vulnerabilities will be further capped at up to 100% of the funds affected. However, there is a minimum reward of $1,000.

Note: Actual reward amounts are determined at Nodle Network’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Out of Scope

Category	Specific Vulnerabilities and/or Attacks to be Excluded
Website & Application	Attacks with the potential to disrupt other customers of a shared web hosting environment, such as but not limited to Vercel.
Website & Application	Attacks that purposefully access account-related data that belongs to another user, and was not created for explicit purposes of security investigation.
Website & Application	Attacks relying on the user installing other applications on their smartphone.
Website & Application	Attacks requiring rooted or jailbroken phone systems.
Blockchain/DLT	Attacks with the potential to disrupt other customers of a shared hosting environment such as OnFinality, SubQuery, or Alchemy.
Blockchain/DLT	Attacks that purposefully access account-related data that belongs to another user, and was not created for explicit purposes of security investigation.
Blockchain/DLT	Vulnerabilities affecting third-party services used by Nodle such as OnFinality.

Other Terms

By submitting a report, you grant Nodle Network the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Nodle Network. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Eco provides secure and cheap stablecoin transfer pathways between connected chains (initially any L2 or L3 rollup settling on Ethereum), with a network of Solvers providing on-demand liquidity. The Eco Routes intent-based design ensures transfers are executed before settlement, eliminating capital loss risk for users.

Scope

In-Scope Targets:

• Core Contracts:
  • Eco Routes
• Web Interface / Application:
  • https://portal.eco.com/
• Other In-Scope Assets:
  • Eco solver backend

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Mailbox contract from Hyperlane
• Hyperlane
• Gas optimizations are out of scope

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by [Program Name/Company], or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Core Smart Contract Code

Risk Score	Payout Range
Critical	Up to $20,000
High	Up to $5,000
Medium	Up to $1,000
Low	Up to $500

• Web Interface / Frontend

Risk Score	Payout Range
Critical	Up to $5,000
High	Up to $2,500
Medium	Up to $1,000
Low	Up to $500

• Other Assets (Backend, Mobile, Extension)

Risk Score	Payout Range
Critical	Up to $5,000
High	Up to $2,500
Medium	Up to $1,000
Low	Up to $500

Note: Actual reward amounts are determined at Eco’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Eco Bug Bounty Program the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Eco. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.