Bug Bounties
Made Simple.
Made Simple.
Cantina Bounties enables protocols to protect code in production by leveraging the best network of security researchers and the Cantina Code platform.
How it works
Best Talent
Access the best talent Web3 has to offer including direct access to thousands of researchers from industry-leading firms such as Spearbit.
Efficient Process
Cantina Code was built around bettering the client experience. Simply put — less spam, higher signal findings, and less overhead for you and your team.
Highest Signal
Through quality-gating mechanisms and LLM-based de-duplication, we reduce low-effort and spam submissions from overloading protocols.
Streamlined Submission and Evaluation Process
Cantina Code provides researchers with a comprehensive code review interface to easily submit findings and the swiftest time-to-reward across the industry.
Better Communication with Clients
No more forms. No more Discord. No more Github. Handle all communication simply and swiftly with protocol teams — all in Cantina Code.
Highest Quality Bounties
We believe in combining the best talent with the best reward structures to provide industry-leading bug bounties for industry-leading protocols.
Uniswap Labs / Uniswap
LiveThe Uniswap protocol is a peer-to-peer1 system designed for exchanging cryptocurrencies (ERC-20 Tokens) on the Ethereum blockchain. The protocol is implemented as a set of persistent, non-upgradable smart contracts; designed to prioritize censorship resistance, security, self-custody, and to function without any trusted intermediaries who may selectively restrict access.
Scope
Contracts
The Program includes vulnerabilities and bugs in any deployed Uniswap contract. These include those within the following GitHub repositories:
- Universal Router Contract Code
- Permit2 Contract Code
- V3 Contract Code
- UniswapX Contract Code
- Uniswap Interface Code
However if you find a bug in a Uniswap smart contract outside of these repositories, where user funds are at risk, the team will consider the issue to be in-scope for our bounty.
Websites
Other
- Public NPM packages in the @uniswap org
- The Uniswap Chrome Extension
- The Uniswap Mobile Application
Out of Scope
- Clickjacking (we do allow 3rd parties to iframe us)
- DDOS
- Bugs in third party code
- Dev branches that are not deployed in public packages or contracts
- Third party contracts that are not under the direct control of Uniswap
- Issues already listed in the audits for the contracts above
- Bugs in third party contracts or applications that use Uniswap contracts
- Brute force attacks
- Rounding errors
- Extreme market turmoil vulnerability
- Gas optimization recommendations
- Task Hijacking (Strandhogg)
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor who currently works, or previously worked, with Uniswap Labs / Uniswap Foundation cannot participate in the Bug Bounty without prior approval. Examples include Huma contributors, security researchers who worked on Huma Finance code reviews, etc.
Disclosure
The vulnerability must not be disclosed publicly or to any other person, entity or email address before Uniswap Labs has been notified, has fixed the issue, and has granted permission for public disclosure. In addition, disclosure must be made within 24 hours following discovery of the vulnerability.
A detailed report of a vulnerability increases the likelihood of a reward and may increase the reward amount. Please provide as much information about the vulnerability as possible, including:
- The conditions on which reproducing the bug is contingent.
- The steps needed to reproduce the bug or, preferably, a proof of concept.
- The potential implications of the vulnerability being abused.
Anyone who reports a unique, previously-unreported vulnerability that results in a change to the code or a configuration change and who keeps such vulnerability confidential until it has been resolved by our engineers will be recognized publicly for their contribution if they so choose.
Eligibility
To be eligible for a reward under this Program, you must:
- Discover a previously-unreported, non-public vulnerability that is not previously known by the team and within the scope of this Program.
- Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements.
- Provide sufficient information to enable our engineers to reproduce and fix the vulnerability.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than a reward under this Program).
- Not publicize a vulnerability in any way, other than through private reporting to us.
- Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of any of the assets in scope.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Be at least 18 years of age or, if younger, submit your vulnerability with the consent of your parent or guardian.
- Not be subject to US sanctions or reside in a US-embargoed country.
- Not be one of our current or former employees, or a vendor or contractor who has been involved in the development of the code of the bug in question.
- Comply with all the eligibility requirements of the Program.
Rewards
The Program includes the following 4 level severity scale:
- Critical Issues that could impact numerous users and have serious reputational, legal or financial implications. An example would be being able to lock contracts permanently or take funds from all users.
- High Issues that impact individual users where exploitation would pose reputational, legal or moderate financial risk to the user.
- Medium The risk is relatively small and does not pose a threat to user funds.
- Low/Informational The issue does not pose an immediate risk but is relevant to security best practices.
Rewards will be given based on the above severity as well as the likelihood of the bug being triggered or exploited, to be determined at the sole discretion of Uniswap Labs.
Payout Calculations
Select the payout amounts by which part of our product the bug is in.
Uniswap Contract Code
Reach out to the protocols team for any bug in the contract code.
| Risk Score | Payout |
|---|---|
| Critical | $2,250,000 |
| High | $500,000 |
| Medium | $100,000 |
| Low | Discretionary |
Uniswap Web Interface
This is for only the site that handles wallet interactions (app.uniswap.org)
| Risk Score | Payout |
|---|---|
| Critical | $250,000 |
| High | $50,000 |
| Medium | $10,000 |
| Low | Discretionary |
Uniswap Other Websites
This is for websites that belong to Uniswap, but do not do wallet interactions such as the info site.
| Risk Score | Payout |
|---|---|
| Critical | $50,000 |
| High | $10,000 |
| Medium | $2,000 |
| Low | Discretionary |
Uniswap Backend (Smart Order Router, Universal Router)
| Risk Score | Payout |
|---|---|
| Critical | $50,000 |
| High | $10,000 |
| Medium | $2,000 |
| Low | Discretionary |
Uniswap Mobile Wallet/Extension Wallet
| Risk Score | Payout |
|---|---|
| Critical | $50,000 |
| High | $10,000 |
| Medium | $2,000 |
| Low | Discretionary |
Other Terms
By submitting your report, you grant Uniswap Labs any and all rights, including intellectual property rights, needed to validate, mitigate, and disclose the vulnerability. All reward decisions, including eligibility for and amounts of the rewards and the manner in which such rewards will be paid, are made at our sole discretion.The terms and conditions of this Program may be altered at any time.
$2,250,000 USDC
Started on 19 Jul 2024
Pendle Finance / Pendle Bounty
LivePendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.
Further resources regarding the Pendle can be found at pendle.finance
The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.
Contracts in Scope
Network: Mainnet Ethereum
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | vePendle |
| Explorer Link | senderEndpoint |
| Explorer Link | votingController |
| Explorer Link | gaugeController |
| Explorer Link | feeDistributorV2 |
Network: Arbitrum
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
| Explorer Link | arbMerkleDistribution |
Network: Optimism
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
Network: Binance Smart Chain
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
Network: Mantle
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
Additional scope:
All StandardizedYieldToken, PendlePrincipalToken, PendleYieldToken, PendleYieldTokenV2, and PendleMarket contracts of assets listed under the links below are in scope. Note that each asset will have a different SY but the same PT, YT, and Market.
Award Levels
Rewards are capped at 10% of economic impact.
- Very Critical: Up to $2,000,000 USD, minimum payout $200,000 USD
- Critical: Up to $1,000,000 USD, minimum payout $100,000 USD
- High: Up to $100,000 USD, minimum payout $20,000 USD
- Medium: Up to $20,000 USD
- Below Medium: To be awarded at the discretion of Pendle Finance
Severity Definitions
For manipulation that can steal/freeze users' funds (excluding unclaimed yield)
| Likelihood/Impact | >10% TVL | 1-10% TVL | < 1% TVL |
|---|---|---|---|
| High | Very Critical | Critical | High or Critical |
| Medium | Critical | High or Critical | High |
| Low | High or Critical | High | Medium |
For other manipulation
The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.
| Likelihood/Impact | Significant | Moderate | Minimal |
|---|---|---|---|
| High | High or Critical | High | Medium |
| Medium | High | Medium | Below Medium |
| Low | Medium | Below Medium | Below Medium |
Out of Scope (all repositories)
If an issue is discovered and is not from the files listed as In Scope above, security researchers are encouraged to report the finding. Awards for out of scope issues to be determined at the discretion of Pendle Finance.
The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.
Known Public Issues
Known issues from previous security reviews are considered out of scope.
- pendle-core-v2-public/audits are considered as out-of-scope.
Known but not Public Issues
Are considered out of scope.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
$2,000,000 USDC
Started on 14 Jun 2024
Morpho / Morpho
LiveMorpho Blue and MetaMorpho form part of the vision to rebuild decentralized lending in layers, with MetaMorpho enabling any lending experience to be rebuilt on a shared and immutable base layer: Morpho Blue.
Morpho Blue is a trustless lending primitive that offers unparalleled efficiency and flexibility. It enables the creation of isolated lending markets by specifying any loan asset, any collateral asset, a liquidation LTV (LLTV), an oracle, and an interest rate model.
Visit the docs for a complete project overview.
Smart Contracts in Scope
Morpho Blue
Morpho Blue
| Name (address link) | Repo |
|---|---|
| Morpho Blue | github.com/morpho-org/morpho-blue |
| Adaptive Curve Irm | github.com/morpho-org/morpho-blue-irm |
| Morpho Chainlink Oracle V2 Factory | github.com/morpho-org/morpho-blue-oracles |
MetaMorpho
| Name (address link) | Repo |
|---|---|
| MetaMorpho Factory | github.com/morpho-org/metamorpho |
| Public Allocator | github.com/morpho-org/public-allocator |
Rewards
Bundlers
Morpho Optimizers
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $555,555.00 | $100,000.00 |
| Likelihood:medium | $100,000.00 | - |
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope.
- morpho-org/morpho-blue/tree/main/audits
- morpho-org/metamorpho/tree/main/audits
- morpho-org/morpho-blue-bundlers/tree/main/audits
- morpho-optimizers/security/audits
Note that the metamorpho repository also gathers the findings on all periphery contracts from the Cantina competition.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol. For example, the ability to deploy permissionless pools.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- COMP rewards can be claimed as part of the reserve factor if COMP is listed as market.
- Someone can repay on behalf of Morpho.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Some contracts are not set yet (eg: IncentivesVault).
- Manipulation of the matching engine. Here are some examples:
- Split large amounts: On Morpho, pure supplier whales are always in the first positions of data structures and constantly matched/unmatched. What is possible to do is to supply a large amount with a first account. Borrow-repay (free), to match itself, and then withdraw enough from the supply to be inserted in the FIFO part of the data structure. The final result is a huge liquidity matched splitted across multiple accounts.
- Flashloan to enter peer-to-peer: A user is waiting in the FIFO part of the pool data structure because larger users are placed before this user. With a flash loan, it’s possible to supply enough to become the first user waiting to be matched. Then borrow-repay (free), to match peer-to-peer the user itself as well as the second one. Then withdraw the flasloaned amount and end the tx. The user is thus matched peer-to-peer.
All other issues acknowledged in the audits in this repo: https://github.com/morpho-dao/morpho-v1/ and https://github.com/morpho-dao/morpho-aave-v3
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Morpho Labs cannot participate in the Bug Bounty.
$555,555 USDC
Started on 27 Mar 2024
Marginal / marginal-bounty
LiveMarginal is a permissionless spot and perpetual exchange that enables leverage on any asset with an Uniswap V3 Oracle.
One can think of the core mechanism of the protocol as analogous to overcollateralized short-selling with the interest payment dictated by a typical perpetual funding rate.
Visit the docs for a complete project overview.
Smart Contracts in Scope
Deployments: Sepolia
V1 Core:
| Target URL | Type |
|---|---|
| MarginalV1Factory.sol | MarginalV1Factory |
| MarginalV1Pool.sol | MarginalV1Pool |
V1 Periphery:
| Target URL | Type |
|---|---|
| NonfungiblePositionManager.sol | NonfungiblePositionManager |
| Router.sol | Router |
| Quoter.sol | Quoter |
| Oracle.sol | Oracle |
| PoolInitializer.sol | PoolInitializer |
| PairArbitrageur.sol | PairArbitrageur |
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $100,000.00 | - |
| Likelihood:medium | - | - |
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Oracle manipulation attacks.
- Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
$100,000 USDC
Started on 8 Jul 2024
Delv / DELV Bounty
LiveThe bug bounty program is focused on DELV's Hyperdrive smart contracts and is mostly concerned with the loss of user funds and access to those funds without user permission.
To be eligible for a reward under the DELV Bug Bounty Program, you must:
- Discover a previously unreported and non-public vulnerability that would result in a loss of or a lock on any ERC-20 token in Hyperdrive. Each bug will only be considered for a reward once. This does not include third-party platforms interacting with the system.
- Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements and the section below.
- Provide sufficient information to enable our team to reproduce and fix the vulnerability. This includes providing a PoC.
- Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
- Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than the reward subject under this Program).
- Submit only one vulnerability per submission, unless you need to bundle vulnerabilities together in order to provide an accurate assessment of impact regarding any of the vulnerabilities.
- Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
- Not be one of our current or former employees or contractors.
- Comply with all applicable laws.
- Not be listed on any sanctions list of the United States, the United Kingdom, the European Union, or the United Nation, or directly or indirectly owned by or associated with such sanctioned person, or operating from or ordinarily resident in any jurisdiction subject to such sanctions.
Smart Contracts in Scope
delvtech/hyperdrive
Disclosure and Reporting Guidelines
To be eligible for a bounty, we require that Bug bounty hunters, security engineers, and researchers must:
- Make it a priority to avoid privacy violations, degradation of user experience, and disruption to production systems during security testing.
- Report vulnerabilities as soon as they have been discovered and keep them confidential between yourself and the DELV team. You may not use (other than as necessary to participate in this bug bounty program) and may not disclose to a third party any DELV confidential information, including identified vulnerabilities.
- Only use the Cantina.xyz bug reporting interface to report vulnerability information to us.
- Provide the team with at least 5 working days to investigate the issue and get back to you before taking any further action.
- DELV reserves the right to verify that the bounty hunter/researcher/security engineer meets these requirements and is eligible for payment.
- By reporting a vulnerability, you assign to Cantina (who assigns it to DELV) any intellectual property developed from your participation in this bug bounty program.
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $100,000.00 (Critical) | $20,000.00 (High) |
| Likelihood:medium | $20,000.00 (High) | $5,000.00 (Medium) |
Critical
- Direct theft of any user funds,
High
- Any governance voting result manipulation
- Temporary freezing of funds
Medium
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Theft of gas
- Unbounded gas consumption
Low
- At the discretion of DELV
Not all bugs will be material or warrant a bounty.
Out of Scope (all repositories)
Known Issues
- all acknowledged issues in the delvtech/hyperdrive repo are considered out of scope
- all known issues in previous security reviews are considered out of scope
- (any attempted fixes, that do not remediate the issue, remain in scope if the vulnerability exists after the fix)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
- Attacks that the reporter has already exploited themselves, leading to damage
- Attacks requiring access to leaked keys/credentials
- Attacks requiring access to privileged addresses (governance, strategist)
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Basic economic governance attacks (e.g. 51% attack)
- Lack of liquidity
- Sybil attack
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of bugs or unpatched vulnerabilities. See "Disclosure and Reporting Guidelines" above for additional protections of DELV's confidential information.
$100,000 USDC
Started on 10 Jul 2024
Chronicle Labs / Chronicle Labs Bounty
LiveChronicle Protocol is a novel Oracle solution that has exclusively secured over $10B in assets for MakerDAO and its ecosystem since 2017. With a history of innovation, including the invention of the first Oracle on Ethereum, Chronicle Protocol continues to redefine Oracle networks. A blockchain-agnostic protocol, Chronicle overcomes the current limitations of transferring data on-chain by developing the first truly scalable, cost-efficient, decentralized, and verifiable Oracles, rewriting the rulebook on data transparency and accessibility.
Scribe's technical documentation at docs/ provides complete documentation of the technical decisions, external assumptions, internal invariants, as well as deployment and maintenance guides.
Smart Contracts in Scope
Scribe
chronicleprotocol/scribe/tree/v2
In scope:
- everything in
src/ - special focus for us:
- Unauthorized auth access
- Unauthorized addition or removal of validator/feed
- Being able to report a malicious price update
- Constructing a non-challengeable, invalid opPoke
- No "special" evm assumptions, ie evm fragmentation is a big issue and we want Scribe to be deployable on L2s etc without adjustments
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $50,000.00 | $30,000.00 |
| Likelihood:medium | $30,000.00 | $10,000.00 |
Out of Scope (all repositories)
Known Issues
Known issues (Acknowledged/won't fix) from previous security reviews are considered out of scope.
- Find previous security reviews here
- Schnorr signature aggregation scheme is vulnerable to rogue-key attacks (described here) Schnorr signature aggregation scheme is vulnerable to private keys with linear relationship (described here)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Chronicle Labs cannot participate in the Bug Bounty.
$50,000 USDC
Started on 1 May 2024
Huma Finance / Huma Bounty
LiveOn-chain credit platform where high-performing receivables meet with global capital.
Visit the docs for a complete project overview.
Smart Contracts in Scope
huma-contracts-v2
| Name (address link) | Repo |
|---|---|
| huma-contracts-v2 | https://github.com/00labs/huma-contracts-v2/tree/main |
Excluding mocks, tests, scripts, etc. Valid issues must satisfy one of the severity definitions below.
Deployed Contracts Celo
| Name | Celo Address |
|---|---|
| Calendar | 0x129686C98916c7fFF9cf9110127402D070183610 |
| HumaConfig | 0x9345cc5617F906C62bE1608680B9C0FC3e7707B0 |
| HumaConfigTimelock | 0x14B067bac6039429A11baf564db90eDBcc4E27F3 |
| PoolConfigImpl | 0x7b6b28434c74E6DB5ba5c9a71eA6ff7A6D5071A5 |
| PoolFeeManagerImpl | 0x3D143343FC4bF823365A38Fb76A89754C5C22f77 |
| PoolSafeImpl | 0xd2FFCC9f6797ce2D7B503DC3287c4cc4D7fde77F |
| FirstLossCoverImpl | 0x0D9b3ecd2B890651EF7dF65650b419a202D38FF4 |
| RiskAdjustedTranchesPolicyImpl | 0xe780653d7c03A5199B3c13b8c663fcE2CDd72562 |
| FixedSeniorYieldTranchesPolicyImpl | 0x86c3a14EE6f0B9BFeE1439a9b6eA191B565a3A0F |
| PoolImpl | 0xa6C59ce6c1E1A519EcE7ad0Eeead31D485C7C8A9 |
| EpochManagerImpl | 0x5aF84f6c8c6738417e6081677f186839294b5eEc |
| TrancheVaultImpl | 0xf26A071833032Ce57769fdf530E81A28f15671df |
| CreditLineImpl | 0x73c16Db24951135BC8A628185BdbfA79115793E5 |
| ReceivableBackedCreditLineImpl | 0xE265E07F9d18Df940A75CfFfEA51211F4f0C46cC |
| ReceivableFactoringCreditImpl | 0x2DF0091067B29Cbac6bD8C2cE15334dEFEE9738C |
| CreditDueManagerImpl | 0xe1Bd10Bba7DF72527dB2F6955d8A731844C8bf84 |
| CreditLineManagerImpl | 0xC98dEAA52Ba4848079aA0A4e48BEA6f0AcdC542c |
| ReceivableBackedCreditLineManagerImpl | 0xAD3FB6bB897f85125436a63a5b8c3Dfb5928Fa4e |
| ReceivableFactoringCreditManagerImpl | 0x7EF17831D7153b085ccDEFc02373234Baec16243 |
| ReceivableImpl | 0x8920C27a3D76daA004f373f78fa1Ed01B4940FbA |
| LibTimelockController | 0x41B1Dd4c2bbcff308Ef95210532B97DF87D8c053 |
| PoolFactoryImpl | 0x2DA34B43089F20c87770674fb7d8Fa5b5384534b |
| PoolFactory | 0x85c8dC49B8DaA709e65dd2182e500E8AC3CaA6C7 |
Severity Definitions
Smart Contracts
| Severity level | Impact: High | Impact: Medium |
|---|---|---|
| Likelihood:high | $50,000.00 | $25,000.00 |
| Likelihood:medium | $25,000.00 | $10,000.00 |
Issues in Scope
Critical
Complete, or near complete, loss of all funds in the protocol.
High
Meaningful, but limited, loss of funds. Examples include a single pool vulnerable to complete loss of funds, or partial loss of TVL across the protocol such as 15% loss, etc.
Medium
Privilege escalation and circumventing access controls not leading to loss of funds in a way that qualifies as a higher severity.
Out of Scope (all repositories)
Known Issues
Known issues from previous security reviews are considered out of scope. (Spearbit-Security-Review)
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors. (E.g. yield calculation precision not leading to meaningful loss of funds.)
- Relatively high gas consumption.
- Centralization or admin risks.
All other issues acknowledged in the audits in the Spearbit-Security-Review
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor who currently works, or previously worked, with Huma Finance cannot participate in the Bug Bounty without prior approval. Examples include Huma contributors, security researchers who worked on Huma Finance code reviews, etc.
$50,000 USDC
Started on 5 Jul 2024
Spearbit / Spearbit Bounty
LiveSpearbit is a distributed network of industry-leading security researchers tackling the most complex and mission-critical protocols across web3.
Cantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.
Guidelines
-
Scope: Only vulnerabilities found on our websites
- https://spearbit.com and its subdomains are eligible for rewards.
-
Testing: Do not perform any testing that could disrupt our services or compromise user data.
-
Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.
-
Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here
Vulnerability Rewards
Here's a general overview:
| Severity | Reward Range |
|---|---|
| Critical | 25,000 |
| High | 20,000 |
| Medium | 10,000 |
| Low | Discretionary |
Severity Levels
-
Critical
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
-
High
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
-
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
-
Low
- Cross-Site Scripting (XSS) with limited impact
- Open redirects
- Clickjacking vulnerabilities
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Out of Scope
The following activities and vulnerability types are considered out of scope for this bug bounty program:
- Physical attacks against our employees, offices, or data centers
- Social engineering attacks against our employees or users
- Vulnerabilities in applications or systems not owned by us
- Vulnerabilities requiring physical access to a user's device
- Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
Testing Guidelines
To ensure safe and responsible testing:
- Use only your own accounts or test accounts for testing.
- Do not attempt to access, modify, or destroy data that does not belong to you.
- Be mindful of testing that might impact system availability or integrity.
- Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.
If you're unsure whether a specific test is allowed, please contact us before proceeding.
Thank you for helping us keep our platform secure!
$25,000 USDC
Started on 27 Jul 2024
Cantina / Cantina Bounty
LiveCantina is the one-stop shop for all your security needs, allowing you to source the best network of teams, freelancers, and services to keep your smart contracts secure.
Guidelines
-
Scope: Only vulnerabilities found on our websites
- https://cantina.xyz its subdomains are eligible for rewards.
-
Testing: Do not perform any testing that could disrupt our services or compromise user data.
-
Disclosure: Do not disclose any vulnerabilities publicly before we've had a chance to address them.
-
Submission: All submissions must be done on this bounty repository on cantina code. More details on submissions here
Vulnerability Rewards
Here's a general overview:
| Severity | Reward Range |
|---|---|
| Critical | 25,000 |
| High | 20,000 |
| Medium | 10,000 |
| Low | Discretionary |
Severity Levels
-
Critical
- Remote code execution
- Unauthorized access to sensitive user data
- Ability to perform actions as a privileged user
-
High
- SQL injection
- Cross-Site Scripting (XSS) with significant impact
- Authentication bypass
-
Medium
- Cross-Site Request Forgery (CSRF)
- Server-side request forgery
- Sensitive information disclosure
-
Low
- Cross-Site Scripting (XSS) with limited impact
- Open redirects
- Clickjacking vulnerabilities
Please note that the final reward amount is at the discretion of our security team and depends on the potential impact and exploitability of the reported vulnerability.
Out of Scope
The following activities and vulnerability types are considered out of scope for this bug bounty program:
- Physical attacks against our employees, offices, or data centers
- Social engineering attacks against our employees or users
- Vulnerabilities in applications or systems not owned by us
- Vulnerabilities requiring physical access to a user's device
- Recently disclosed 0-day vulnerabilities (within 2 weeks of public disclosure)
Testing Guidelines
To ensure safe and responsible testing:
- Use only your own accounts or test accounts for testing.
- Do not attempt to access, modify, or destroy data that does not belong to you.
- Be mindful of testing that might impact system availability or integrity.
- Important: Please be extremely cautious when performing any automated scans or tests that involve multiple requests. Excessive traffic may be flagged as malicious activity.
If you're unsure whether a specific test is allowed, please contact us before proceeding.
Thank you for helping us keep our platform secure!
$25,000 USDC
Started on 27 Jul 2024