Kiln On-Chain (v2) enables non-custodial platforms to propose an ETH staking offer where users can stake any amount of ETH on operator pools while remaining the only one able to access their staked assets.

The goal of these Ethereum Smart Contracts is to enable:

• Operator to register its validation keys deposit data on their operator vFactory Smart Contract
• Operator to propose deposit services like pooling on top of their vFactory
• Integrators to propose white-labelled staking offers on top of operator pools with their Smart Contract
• Users to deposit any amount of ETH to be staked
• Enable Integrators, Operators to have a performance fee dispatched on-chain

This Bug Bounty is focused on Kiln On-Chain v2 Smart Contracts only, all items regarding dApps or validation infrastructure are out of scope but can be submitted at security@kiln.fi.

For more information about Kiln On-Chain, please visit https://www.kiln.fi/kiln-on-chain

Smart Contracts in Scope

Documentation for the assets provided in the table can be found at

• https://docs.kiln.fi/v1/kiln-products/on-chain/pooled-staking

Severity Definitions

Smart Contracts severity levels

Critical: - Complete loss of funds or permanent freezing of funds

High: - Theft of unclaimed yield, commission/fees or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).

Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption

A PoC is required for the following severity levels:

• Smart Contract:
  • Critical
  • High
  • Medium

Rewards

Rewards for Smart Contract Bugs

Reward Levels

• Critical: Upto 500,000, Minumum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided

• High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.

• Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.

• The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.

Out of Scope

These impacts are out of scope for this bug bounty program. General:

• Consequences resulting from exploits the reporter has already carried out, which lead to damage.
• Issues caused by attacks that require access to leaked keys or credentials.
• Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
• Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
• References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.

Smart Contracts:

• Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
• Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
• Problems related to insufficient liquidity.
• Issues stemming from Sybil attacks.
• Concerns involving risks of centralization.
• Suggestions for best practices.

Roles:

• Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.

Known Issues

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

• https://kilnfi.notion.site/EXTERNAL-AUDITS-479819dce90540d1a0800c0541d2352b

Specific Types of Issues

• Informational findings.
• Design choices related to protocol.
• Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
• Rounding errors.
• Relatively high gas consumption.
• Extreme market turmoil vulnerability.

Disclosure

Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:

• Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
• Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
• During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
• After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
• The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
• If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.

Eligibility

Security researchers who fall under any of the following are ineligible for a reward

• Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.

KYC

The following information is required for payments:

• If the claim comes from an individual:
  • The first names, surnames, date and place of birth of the person concerned
    • A Valid ID
  • If the claim comes from a business:
    • Legal form, name, registration number and address of the registered office
    • Valid certificate of incorporation
    • List of shareholders/directors

Prohibited Actions

• Live testing on public chains, including public mainnet deployments and public testnet deployments.
  • We recommend testing on local forks, for example using foundry.
• Public disclosure of bugs without the consent of the protocol team.
• Any denial of service attacks that are executed against project assets
• Automated testing of services that results in a denial of service
• Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
• Attempting phishing or other social engineering attacks against our employees and/or customers