votre

Votre is a next-generation crypto lending platform built to empower digitally-native high-net-worth individuals, family offices, and funds with secure, liquidation-free borrowing solutions. Built on Base and using cbBTC, Votre offers industry-leading LTVs (up to 90%), low interest rates (3-4%), and more tax-efficient structures compared to competitors like Ledn, Arch, and SALT.

Scope

In-Scope Targets:

• Core Contracts:

  • ConfigHub
  • ChainlinkOracle
  • ChainlinkOracle
  • ChainlinkOracle
  • CombinedOracle
  • CollarTakerNFT
  • CollarProviderNFT
  • LoansNFT
  • Rolls
  • SwapperUniV3
  • EscrowSupplierNFT
  • CombinedOracle
  • CollarTakerNFT
  • CollarProviderNFT
  • LoansNFT
  • Rolls
  • SwapperUniV3
  • EscrowSupplierNFT

• Web Interface / Application:

  • Currently out of scope, while the protocol is in private beta stage. Will be in scope after public launch. BBP will be updated once that happens.
  • Only relevant when impacting non-testnet usage.
  • https://www.votre.xyz/
  • https://app.votre.xyz/
  • https://docs.votre.xyz/

If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.

Out-of-Scope Targets:

• Providers offers do not limit execution price (only strike percentages), nor have deadlines, and are expected to be actively managed.
• No refund of protocol fee for position cancellations / rolls. Fee APR and roll frequency are assumed to be low, and rolls are assumed to be beneficial enough to users to be worth it. Accepted as low risk economic issue.
• Protocol fee (charged from provider offer, on top of provider position) can be high relative to provider position's size, especially for smaller callStrikePercent.
• Because oracle prices undergo multiple conversions (feeds, tokens units), asset and price feed combinations w.r.t to decimals and price ranges (e.g., low price tokens) are assumed to be checked to allow sufficient precision.
• In case of congestion, calls for openPairedPosition (openLoan that uses it), and rolls executeRoll can be executed at higher price than the user intended (if price is lower, openLoan and executeRoll have slippage protection, and openPairedPosition has better upside for the caller). This is accepted as low likelihood, and low impact: loss is small since short congestion will result in small price change vs. original intent, and long downtime may fail the oracle sequencer uptime check.
• If an oracle becomes malicious, there isn't a way to "unset" it. ConfigHub can prevent opening new positions for that pair, but existing positions will remain vulnerable.
• If a collar position is settled via settleAsCancelled (due an oracle malfunction, or no one calling regular settle for one week), the Loan using that position will still be possible to close, but the amount of underlying returned may not correspond well to current price (because the collar position will be settled at its opening price). The loan can also be cancelled if desired.
• Any tokens accidentally sent to any of the contracts cannot be rescued.
• Issues and considerations explained in the Solidity comments and audit reports.
• If deploying on a chain which can re-org, theoretically a re-org can allow an offer to be substituted by another. We see such a scenario as an extremely unlikely coincidence of implausibilities.
• Offer parameters that should be validated on position creation are not checked on offer creation. It is neither necessary nor sufficient to do (since config can change), and would add complexity for no benefit. Expected to be checked on FE for UX.
• In a block that has exactly the expiration timestamp, multiple actions are valid (settle, close, roll). If block is viewed as "containing" the timestamp, the logic seems consistent. Main reason for allowing is that each of those actions is safe to perform in that block, and state contention is not an impact.

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Votre, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

Reports must incude:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

For Critical and High severity reports, the reward amount is 10% of the funds directly affected up to the maximum for the severity category.

• Core Smart Contract Code

Risk Score	Payout Range
Critical	USD 20,000 - USD 100,000
High	USD 5,000 - USD 20,000
Medium	USD 1,000 - USD 5,000

• Web Interface / Frontend

Risk Score	Payout Range
Critical	USD 5,000 - USD 10,000
High	USD 1,000 - USD 5,000

Note: Actual reward amounts are determined at Votre’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Votre the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Votre. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.