Threshold / thUSD Bounty
Threshold USD is a decentralized protocol that enables you to borrow thUSD, a stablecoin soft-pegged against USD and backed by ETH and tBTC as collaterals with a minimum collateral ratio of 110%. Originated as a modified fork of Liquity Protocol, Threshold USD was built to be self-sustained through a PCV ("Protocol Controlled Value"). There is no equivalent of LQTY token in Threshold USD. Instead all revenues accrue into the PCV. Since there is no token, Bootstrapping is completed through an Initial Protocol Loan. The result of the protocol owning its own liquidity ("PCV"), is a more predictable trajectory and a sustainable long-term product. The stability pool is funded by the PCV instead of user deposits, so no funds are wasted on rewards and those funds can instead be re-injected into the stability pool. As the protocol grows and accrues fees, the stability pool will be consistently topped up.
For more information about thUSD, please visit https://app.thresholdusd.org/
Visit the docs for a complete project overview.
Smart Contracts in Scope
- All code of thUSD can be found at https://github.com/Threshold-USD/dev/tree/thUSD.
Severity Definitions
Smart Contracts severity levels
Severity level | Impact: High | Impact: Medium | Impact: Low |
---|---|---|---|
Likelihood:high | Critical | High | Medium |
Likelihood:medium | High | Medium | Low |
Likelihood:low | Medium | Low | - |
-
Critical:
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol insolvency
-
High:
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for more than 1 week
-
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
-
Low:
- Contract functions affected but does not result in loss of fund or impact severely
Website and application severity levels
-
Critical:
- Gaining access to sensitive data or files from an active server, such as:
/etc/shadow
,- Passwords and private keys (excluding non-sensitive environment variables, open-source code, or usernames).
- Performing authenticated, state-modifying actions (with or without blockchain state interaction) on behalf of other users without their consent.
- Subdomain takeover that allows interactions with an already-connected wallet.
- Direct theft of user funds.
- Malicious activities involving an already-connected wallet, such as:
- Altering transaction arguments or parameters,
- Replacing contract addresses,
- Executing malicious transactions.
- Gaining access to sensitive data or files from an active server, such as:
-
High:
- Injecting or modifying static content on the target application without using JavaScript (Persistent), including:
- HTML injection without JavaScript,
- Replacing existing text with arbitrary content,
- Uploading arbitrary files, etc.
- Subdomain takeover without interactions involving an already-connected wallet.
- Causing the application or website to become unavailable or go offline.
- Injecting or modifying static content on the target application without using JavaScript (Persistent), including:
A PoC is required for the following severity levels:
- Smart Contract - All severities
- Web/App - Critical
- Web/App - High
- Web/App - Medium
Rewards
Rewards for Smart Contract Bugs
Severity | Reward Amount | PoC Required |
---|---|---|
Critical | $250,000 | Yes |
High | $20,000 | Yes |
Medium | $2,000 | Yes |
Low | $1,000 | Yes |
Reward Levels
- Critical: Upto 7,500 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited
- High: Upto 5,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited.
Rewards for Website & Application
Severity | Reward Amount | PoC Required |
---|---|---|
Critical | $10,000 | Yes |
High | $5,000 | Yes |
Medium | $1000 | Yes |
Reward Levels
-
Critical: Upto 5,000 Rewards will be further capped at 10% of direct funds at risk if the bug discovered is exploited
-
High: Upto 1,000 Rewards will be further capped at 100% of direct funds at risk if the bug discovered is exploited
Out of Scope
These impacts are out of scope for this bug bounty program. General:
- Consequences resulting from exploits the reporter has already carried out, which lead to damage.
- Issues caused by attacks that require access to leaked keys or credentials.
- Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
- Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
- References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.
Smart Contracts:
- Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
- Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
- Problems related to insufficient liquidity.
- Issues stemming from Sybil attacks.
- Concerns involving risks of centralization.
- Suggestions for best practices.
Web/App:
- Theoretical issues that lack proof or demonstration.
- Attacks requiring physical access to the victim's device.
- Problems requiring access to the victim's local network.
- CSRF issues without any state-changing security impact (e.g., logout CSRF).
- Disclosure of non-confidential server-side information, such as IP addresses, server names, or stack traces.
- Issues that only confirm the existence of users or tenants.
- Problems that involve vulnerabilities requiring unsolicited user actions that are outside normal app workflows.
- Lack of SSL/TLS best practices.
- Denial of Service (DoS) or Distributed Denial of Service (DDoS) issues.
- User experience (UX) or user interface (UI) issues that do not significantly disrupt platform usage.
- Issues primarily caused by browser or plugin defects.
- Leakage of non-sensitive API keys (e.g., Etherscan, Infura, Alchemy).
- Misconfigured SPF/DMARC records.
- Missing HTTP headers without a demonstrated impact.
- Automated scanner reports that do not demonstrate an impact.
Known Issues
thUSD has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.
Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.
-
Other known issues:
- Rounding errors in BAMM are considered economically unfeasible for exploitation and an intentional behavior
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0)
. - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Any denial of service attacks that are executed against project assets
- Automated testing of services that results in a denial of service
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
Summary
Status
LiveTotal reward:
$250,000 USDC
Start date:
28 Aug 2024 8:00pm (local time)