CompetitionsBountiesReviewsGuildsFellowship
Sign in
Sign in
profile image

Threshold / thUSD Bounty

Threshold USD is a decentralized protocol that enables you to borrow thUSD, a stablecoin soft-pegged against USD and backed by ETH and tBTC as collaterals with a minimum collateral ratio of 110%. Originated as a modified fork of Liquity Protocol, Threshold USD was built to be self-sustained through a PCV ("Protocol Controlled Value"). There is no equivalent of LQTY token in Threshold USD. Instead all revenues accrue into the PCV. Since there is no token, Bootstrapping is completed through an Initial Protocol Loan. The result of the protocol owning its own liquidity ("PCV"), is a more predictable trajectory and a sustainable long-term product. The stability pool is funded by the PCV instead of user deposits, so no funds are wasted on rewards and those funds can instead be re-injected into the stability pool. As the protocol grows and accrues fees, the stability pool will be consistently topped up.

For more information about thUSD, please visit https://app.thresholdusd.org/

Visit the docs for a complete project overview.

Smart Contracts in Scope

Smart ContractLink
THUSDTokenhttps://etherscan.io/address/0xCFC5bD99915aAa815401C5a41A927aB7a38d29cf
BorrowerOperations (tBTC)https://etherscan.io/address/0xf5e4fFeB7d2183B61753AA4074d72E51873C1D0a
StabilityPool (tBTC)https://etherscan.io/address/0xF6374AEfb1e69a21ee516ea4B803b2eA96d06f29
TroveManager (tBTC)https://etherscan.io/address/0xfC7d41A684b7dB7c817A9dDd028f9A31c2F6f893
PCV (tBTC)https://etherscan.io/address/0x097f1ee62E63aCFC3Bf64c1a61d96B3771dd06cB
PriceFeed (tBTC)https://etherscan.io/address/0x83aE3931C5D03773755311372c0737F856657a43
bLens (tBTC)https://etherscan.io/address/0x65222d72f13860913fEF03f088c385Cbfc11A50c
BAMM (tBTC)https://etherscan.io/address/0x1f490764473eb1013461D6079F827DB95d8B4DC5
SortedTroves (tBTC)https://etherscan.io/address/0xA5626CBA9A4448019e73CE59784bD22736986711
ActivePool (tBTC)https://etherscan.io/address/0x4dbcb0cFf525B91E8b9D18b224c1B45feF008549
CollSurplusPool (tBTC)https://etherscan.io/address/0x3BEC529c86317C64305dc161998Fb7f40078F200
multiTroveGetter (tBTC)https://etherscan.io/address/0xd74DFFDC614b84610329AF4707D8Dcc484c735d0
DefaultPool (tBTC)https://etherscan.io/address/0xbe037954B419676904117F0D7d7e15f78FF1Bf4B
GasPool (tBTC)https://etherscan.io/address/0x8a7C0b18FB80Bd0a1d3530262B15264278e5f64D
HintHelpers (tBTC)https://etherscan.io/address/0x2249e86a4b99EcCC081600C11B2B30FF64202f55
TellorCaller (tBTC)https://etherscan.io/address/0x0278aC7067F66a66a91466cd420f6F8Efae15C32
BorrowerOperations (ETH)https://etherscan.io/address/0x874a8ee5b4Cc0B9973c7c002FA891fc28666cAA9
StabilityPool (ETH)https://etherscan.io/address/0xA18Ab4Fa9a44A72c58e64bfB33D425Ec48475a9f
TroveManager (ETH)https://etherscan.io/address/0x27D7D02AED6C4F95Ada2faf02DcCB9666D3abB8C
PCV (ETH)https://etherscan.io/address/0x1a4739509F50E683927472b03e251e36d07DD872
PriceFeed (ETH)https://etherscan.io/address/0x684645ccAB4d55863A149C52eC3176051Cdb732d
bLens (ETH)https://etherscan.io/address/0xf21AcB3C2E8418fc5466bc794f9970df7255aE28
BAMM (ETH)https://etherscan.io/address/0x920623AcBa785ED9a70d33ACab53631e1e834675
SortedTroves (ETH)https://etherscan.io/address/0xE5Ada07ACE9412A623B0A282Cd67d16a3a094E17
ActivePool (ETH)https://etherscan.io/address/0xE922B5591Da479a559b25261BD6Dc8f89cA1A29d
multiTroveGetter (ETH)https://etherscan.io/address/0x8836b66727bbde25974110442Bb46B7a4805B36c
CollSurplusPool (ETH)https://etherscan.io/address/0x67dbd2ad541c61d37F17B0515d2e452e04597A36
DefaultPool (ETH)https://etherscan.io/address/0xa8BdAb0F0D3f5Cd04d29df5f4ba6B43d7cdb7Ba9
GasPool (ETH)https://etherscan.io/address/0x34Fbfd06Cb537aBd1a75E91A9Cf7F5B61B47eCa6
HintHelpers (ETH)https://etherscan.io/address/0xF3dA35dd10Ed653Fd66Eb03D349EDfD139521Df5
TellorCaller (ETH)https://etherscan.io/address/0xD1ACC73E5617EA6a4676C534b266193Ac633DeA2
RedStone Adapter (ETH)https://explorer.gobob.xyz/address/0x3318adE690b5A1029c2dF032FCe52D455e437514
RedStone Adapter (tBTC)https://explorer.gobob.xyz/address/0x87C80adC0E1cf4696B8850c8aE7B43Eb2781Ba1f
Frontend-devhttps://github.com/Threshold-USD/dev/tree/thUSD/packages/dev-frontend

Severity Definitions

Smart Contracts severity levels

Severity levelImpact: HighImpact: MediumImpact: Low
Likelihood:highCriticalHighMedium
Likelihood:mediumHighMediumLow
Likelihood:lowMediumLow-
  • Critical:

    • Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
    • Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
    • Permanent freezing of funds
    • Protocol insolvency
  • High:

    • Theft of unclaimed yield
    • Permanent freezing of unclaimed yield
    • Temporary freezing of funds for more than 1 week
  • Medium:

    • Smart contract unable to operate due to lack of token funds
    • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
    • Unbounded gas consumption
  • Low:

    • Contract functions affected but does not result in loss of fund or impact severely

Website and application severity levels

  • Critical:

    • Gaining access to sensitive data or files from an active server, such as:
      • /etc/shadow,
      • Passwords and private keys (excluding non-sensitive environment variables, open-source code, or usernames).
    • Performing authenticated, state-modifying actions (with or without blockchain state interaction) on behalf of other users without their consent.
    • Subdomain takeover that allows interactions with an already-connected wallet.
    • Direct theft of user funds.
    • Malicious activities involving an already-connected wallet, such as:
      • Altering transaction arguments or parameters,
      • Replacing contract addresses,
      • Executing malicious transactions.
  • High:

    • Injecting or modifying static content on the target application without using JavaScript (Persistent), including:
      • HTML injection without JavaScript,
      • Replacing existing text with arbitrary content,
      • Uploading arbitrary files, etc.
    • Subdomain takeover without interactions involving an already-connected wallet.
    • Causing the application or website to become unavailable or go offline.

A PoC is required for the following severity levels:

  • Smart Contract - All severities
  • Web/App - Critical
  • Web/App - High
  • Web/App - Medium

Rewards

Rewards for Smart Contract Bugs

SeverityReward AmountPoC Required
Critical$250,000Yes
High$20,000Yes
Medium$2,000Yes
Low$1,000Yes

Reward Levels

  • Critical: Upto 250,000,Minumumpayout250,000, Minumum payout 7,500 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited
  • High: Upto 20,000,Minimumpayout20,000, Minimum payout 5,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited.

Rewards for Website & Application

SeverityReward AmountPoC Required
Critical$10,000Yes
High$5,000Yes
Medium$1000Yes

Reward Levels

  • Critical: Upto 10,000,Minumumpayout10,000, Minumum payout 5,000 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited

  • High: Upto 5,000,Minimumpayout5,000, Minimum payout 1,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited

Out of Scope

These impacts are out of scope for this bug bounty program. General:

  • Consequences resulting from exploits the reporter has already carried out, which lead to damage.
  • Issues caused by attacks that require access to leaked keys or credentials.
  • Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
  • Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
  • References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.

Smart Contracts:

  • Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
  • Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
  • Problems related to insufficient liquidity.
  • Issues stemming from Sybil attacks.
  • Concerns involving risks of centralization.
  • Suggestions for best practices.

Web/App:

  • Theoretical issues that lack proof or demonstration.
  • Attacks requiring physical access to the victim's device.
  • Problems requiring access to the victim's local network.
  • CSRF issues without any state-changing security impact (e.g., logout CSRF).
  • Disclosure of non-confidential server-side information, such as IP addresses, server names, or stack traces.
  • Issues that only confirm the existence of users or tenants.
  • Problems that involve vulnerabilities requiring unsolicited user actions that are outside normal app workflows.
  • Lack of SSL/TLS best practices.
  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) issues.
  • User experience (UX) or user interface (UI) issues that do not significantly disrupt platform usage.
  • Issues primarily caused by browser or plugin defects.
  • Leakage of non-sensitive API keys (e.g., Etherscan, Infura, Alchemy).
  • Misconfigured SPF/DMARC records.
  • Missing HTTP headers without a demonstrated impact.
  • Automated scanner reports that do not demonstrate an impact.

Known Issues

thUSD has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.

Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Public disclosure of bugs without the consent of the protocol team.
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that results in a denial of service
  • Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.

Summary

Status

Live

Total reward:

$250,000 USDC

Start date:

28 Aug 2024 8:00pm (local time)

Services

CompetitionsReviewsBountiesGuildsFellowship

© 2024 Cantina. All rights reserved.