OpportunitiesLeaderboardAbout Cantina
Sign upLog in

lifi-contracts-bounty

@lifinance

Live

LI.FI is a cross-chain aggregation protocol that combines multiple bridges and DEXs to enable seamless asset transfers between different blockchains. The protocol uses a diamond pattern (eip-2535) smart contract architecture where a main contract delegates calls to specialized facet contracts that handle specific bridge and DEX integrations. It simplifies cross-chain transfers for both developers and users by providing a single unified solution instead of requiring individual bridge integrations.

Scope

In-Scope Targets:

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

  • Bridge-Specific Exclusions and DEX Aggregation Exclusions

    • Relayer Latency: Issues related to bridge transaction confirmation times without security impact

    • Bridge Fee Fluctuations: Economic concerns about variable bridge fees

    • Cross-Chain Reorg Scenarios: Theoretical concerns requiring deep blockchain reorganizations

    • Bridge Liquidity Limitations: Reports about insufficient liquidity on specific chains

    • Oracle Price Delays: Standard delays in price feeds without demonstration of exploitation

    • Slippage Within Tolerance: Expected price impacts within user-specified slippage limits

    • MEV and Front-Running: Standard front-running that's inherent to public blockchains

    • Route Optimization Suggestions: Reports suggesting better routing algorithms without security impact

    • Gas Optimizations: Suggestions for reducing gas costs without security implications

    • DEX Availability Issues: Temporary unavailability of specific integrated DEXes

  • Smart Contract Technical Exclusions

    • Centralization By Design: Admin control features that are documented and intentional
    • Governance Attacks: Requiring unrealistic token accumulation (>10% of total supply)
    • Non-Exploitable Reentrancy: Reentrancy patterns with proper safeguards in place
    • Flash Loan Attacks: Without proof of impact under realistic market conditions
    • Upgradeability Concerns: Issues inherent to our documented upgradeability pattern

  • Out of Scope / Invalid Reports

    • Third-Party Protocol Issues: Bugs in third party code are out of scope
    • Known Issues: Vulnerabilities listed in our documentation as "Known Issues"
    • Test Code Vulnerabilities: Issues in non-production test code
    • User Error Scenarios: Vulnerabilities requiring users to input obviously incorrect parameters
    • Theoretical Exploits: Attack scenarios without practical proof-of-concept
    • Known Issues Under Remediation: Vulnerabilities that have already been identified or are in the process of being fixed.

  • WebApp & Website Exclusions The following vulnerability types are explicitly excluded from the bug bounty program:

    • Client-Side Static Injections: Vulnerabilities that require modifying client-side code via browser developer tools or similar methods are not considered valid submissions.

    • Self-XSS Requiring Browser Console: Attacks requiring the victim to paste malicious code into their browser console are excluded.

    • OR-Based Injection Techniques: SQL injections or similar attacks that rely solely on logical OR operators without demonstrating actual data extraction or manipulation.

    • Theoretical Vulnerabilities: Issues that cannot be demonstrated with a practical proof of concept.

    • Rate Limiting Bypass through Multiple IPs: Using multiple IP addresses to circumvent rate limiting is not considered a valid vulnerability.

    • Missing Security Headers: Reports solely about missing security headers without demonstrating an actual exploit will not be accepted.

    • Social Engineering Required: Vulnerabilities requiring substantial social engineering to exploit are excluded.

    • Unvalidated Reports from Automated Tools: Findings from automated scanning tools without manual verification and exploitation proof.

    • Attacks Requiring Physical Access: Any attack that requires physical access to a user's device.

    • Clickjacking Using Iframes: Vulnerabilities related to framing the application within iframes (clickjacking) are excluded as these are addressed by our security headers and Content Security Policy.

    • Zero-day issues are not valid for five days after the CVE is publicly disclosed.

  • Documentation/Minor Issues

    • Documentation Discrepancies: Without security impact
    • Missing Events: Lack of event emissions that don't impact security
    • Missing Zero-Address Checks: Unless they lead to permanent fund loss
    • Missing Input Validation: For non-critical parameters

Prohibited Actions

  • No Unauthorized Testing on Production Environments:
    Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

    • We can setup a test environment upon request.

  • No Public Disclosure Without Consent:
    Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

  • No Exploitation or Data Exfiltration:
    Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

  • No Conflict of Interest:
    Individuals currently or formerly employed by LI.FI, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

The report must include:

  • A clear description of the vulnerability and its impact.
  • Steps to reproduce the issue, ideally with a proof of concept.
  • Details on the conditions under which the issue occurs.
  • Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must meet the following requirements:

  • Vulnerability Requirements

    • Discover Original Vulnerabilities: Submit previously unreported, in-scope vulnerabilities that aren't publicly known.
    • First Reporter Advantage: Be the first to report a specific vulnerability through proper channels.
    • Provide Clear Reproduction Steps: Include detailed information allowing our team to verify and fix the issue.
    • Responsible Disclosure: Report privately without public disclosure or exploitation for personal gain.
    • Minimize Impact: Take reasonable precautions to avoid data loss, privacy violations, or service disruptions.

  • Researcher Requirements

    • No Duplicate Rewards: The vulnerability must not stem from an issue that has already received a bounty.
    • Legal Compliance: Use only legal methods when identifying and reporting vulnerabilities. Threats or coercion will disqualify submissions.
    • Age Requirement: Be at least 18 years old, or have parental/guardian consent if younger.
    • Sanctions Compliance: Not be subject to OFAC sanctions or reside in countries under OFAC embargo.
    • No Conflicts of Interest: Not be a current/former employee, vendor, or contractor who worked on the vulnerable code.
    • Program Compliance: Follow all program rules and guidelines as detailed in our documentation.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity LevelImpact: CriticalImpact: HighImpact: MediumImpact: Low
Likelihood: HighCriticalHighMediumLow
Likelihood: MediumHighHighMediumLow
Likelihood: LowMediumMediumLowInformational

Impact Definitions for Smart Contracts:

  • Critical:
    • An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 50%-100% of the daily total user transfers across all EVM chains supported by LI.FI.
    • Governance
  • High:
    • An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 20%-50% of the daily total user transfers across all EVM chains supported by LI.FI.
  • Medium:
    • An issue that results in losses (by stealing, wasting or permanently freezing) amounting to 0.5%-20% of the daily total user transfers across all EVM chains supported by LI.FI.
    • Issues that could impact numerous users and have serious reputational, legal or financial implications
  • Low/Informational:
    • Minimal direct risk but may indicate areas for improvement.

Likelihood Definitions:

  • High: Very easy to exploit or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires very specific conditions.

Impact Definitions for WebApp and Website:

Critical

  • For Website
    • Remote code execution (RCE) on production servers
    • SQL injection leading to full database access
    • Authentication bypass allowing unrestricted access to admin functionality
    • Ability to access, modify, or delete other users' data without authorization
    • Stored cross-site scripting (XSS) in high-traffic areas affecting multiple users
    • Session fixation/hijacking allowing complete account takeover
    • CSRF vulnerabilities that can change critical account settings or perform privileged actions
    • Vulnerabilities exposing PII (personally identifiable information) of multiple users
    • Insecure direct object references (IDOR) affecting sensitive data
    • Upload functionality allowing execution of malicious files
  • WebApp
    • Authentication bypass allowing unrestricted API access
    • Authorization flaws allowing access to other users' data or functionality
    • Injection vulnerabilities (SQL, NoSQL, etc.) with significant data exposure
    • Broken access controls leading to privilege escalation
    • API keys or secrets exposure in responses
    • Rate limiting bypass that could lead to service disruption
    • Business logic flaws allowing unlimited resource consumption
    • Insecure deserialization vulnerabilities
    • Server-side request forgery (SSRF) with access to internal systems
    • Side-channel attacks revealing encryption keys or sensitive data

High Impact

  • Website

    • Stored XSS in less critical areas
    • Reflected XSS requiring minimal user interaction
    • CSRF vulnerabilities affecting important but non-critical functions
    • Open redirects with potential for sophisticated phishing
    • Username/email enumeration combined with weak rate limiting on login
    • Insecure password reset functionality
    • Web Cache poisoning leading to injection of malicious code
    • Clickjacking vulnerabilities on sensitive functions
    • Unvalidated redirects to malicious sites
    • Moderate information disclosure of system information

  • WebApp

    • Improper input validation leading to unexpected behavior
    • Insecure implementation of API authentication
    • Missing function-level authorization checks
    • Excessive data exposure in API responses
    • Improper asset management (unpatched/outdated API endpoints)
    • Mass assignment vulnerabilities
    • Unprotected admin functionality
    • Web Cache poisoning leading to injection of malicious code
    • Sensitive operation without requiring re-authentication
    • Insecure default configurations

Medium Impact

  • Website
    • DOM-based XSS requiring complex user interaction
    • Reflected XSS with limited impact
    • CSRF in non-sensitive functions
    • Clickjacking on non-sensitive pages
    • Missing security headers (CSP, X-Frame-Options, etc.)
    • Weak password policies
    • Username/email enumeration
    • Web Cache poisoning leading to significant user disruption
    • Overly verbose error messages revealing implementation details
    • Insecure cookie settings (missing Secure/HttpOnly flags)
    • Mixed content warnings
  • WebApp
    • Lack of proper HTTPS implementation
    • Missing rate limiting on non-critical endpoints
    • Verbose error messages revealing implementation details
    • Inconsistent authorization checks
    • Web Cache poisoning leading to significant user disruption
    • API versioning issues causing backward compatibility problems
    • Response manipulation weaknesses
    • HTTP method overriding issues

Low Impact

  • Website

    • Self-XSS (requiring significant user interaction)
    • Cross-site request forgery (CSRF) on non-sensitive actions
    • Minor client-side security issues with limited impact
    • Minor information disclosure (versions, technology stack)
    • Missing but non-critical security headers
    • Expired SSL/TLS certificates
    • Lack of DNSSEC
    • Lack of HTTP Strict Transport Security (HSTS)
    • Minor issues with content security policy

  • WebApp

    • Lack of API documentation
    • Lack of security-related HTTP headers
    • Unnecessary HTTP methods enabled
    • Improper caching configurations
    • Verbose API error codes
    • Outdated API versions still accessible but not used
    • Disclosure of non-sensitive server information
    • Missing MIME type checking with limited security impact
    • Lack of HTTP security headers on API responses
    • Suboptimal implementation of rate limiting
    • Insufficient logging of security events

Likelihood Definitions:

  • High: Very easy to exploit or highly incentivized.
  • Medium: Exploitation is possible under certain conditions.
  • Low: Difficult to exploit or requires very specific conditions.

Payout Guidelines

  • Core Smart Contract Code
Risk ScorePayout Range
Critical$100,000 to $1,000,000
High$10,000 to $100,000
Medium$5,000 to $10,000
LowDiscretionary

Rewards are capped at 10% of the funds impacted

  • WebApp:
Risk ScorePayout Range
Critical$10,000 to $25,000
High$1,000 to $10,000
Medium$500 to $1,000
LowDiscretionary
  • Website:
Risk ScorePayout Range
Critical$2,500 to $7,500
High$1,000 to $2,500
MediumUp to $1,000
LowDiscretionary

Note: Actual reward amounts are determined at LI.FI’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant LI.FI the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of LI.FI. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.

Total reward

$1,000,000

Findings submitted

19

Start date

Mar 20, 2025

Please sign in as a researcher to join the bounty.

Log in