Makina Contracts

Makina Contracts

@makina
Live

Maximum reward

$500,000

Severity

Max. Reward

Critical

$500,000

High

$50,000

Deposit required

$5

Safe Harbor

10% of TVL

Findings submitted

7

Start date

29 Oct 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScopeSafe Harbor

In scope

Core Contracts

Severity

Min and Max Reward

Critical

Up to $500,000

High

Up to $50,000

MediumDiscretionary
LowDiscretionary

In addition to the contracts below, any other contracts deployed by the listed factories are in scope, additionally any new contracts deployed on spoke chains at the addresses listed below for Base & Arbitrum are in scope

.├── src│   ├── bridge│   │   ├── adapters│   │   │   ├── AcrossV3BridgeAdapter.sol│   │   │   └── BridgeAdapter.sol│   │   └── controller│   │       └── BridgeController.sol│   ├── caliber│   │   ├── Caliber.sol│   │   └── CaliberMailbox.sol│   ├── factories│   │   ├── BridgeAdapterFactory.sol│   │   ├── CaliberFactory.sol│   │   ├── Create3Factory.sol│   │   ├── HubCoreFactory.sol│   │   └── SpokeCoreFactory.sol│   ├── interfaces│   │   ├── AggregatorV2V3Interface.sol│   │   ├── IAcrossV3MessageHandler.sol│   │   ├── IAcrossV3SpokePool.sol│   │   ├── IBridgeAdapter.sol│   │   ├── IBridgeAdapterFactory.sol│   │   ├── IBridgeController.sol│   │   ├── ICaliber.sol│   │   ├── ICaliberFactory.sol│   │   ├── ICaliberMailbox.sol│   │   ├── IChainRegistry.sol│   │   ├── ICoreRegistry.sol│   │   ├── IFeeManager.sol│   │   ├── IHubCoreFactory.sol│   │   ├── IHubCoreRegistry.sol│   │   ├── IMachine.sol│   │   ├── IMachineEndpoint.sol│   │   ├── IMachineShare.sol│   │   ├── IMakinaContext.sol│   │   ├── IMakinaGovernable.sol│   │   ├── IOracleRegistry.sol│   │   ├── IOwnable2Step.sol│   │   ├── IPreDepositVault.sol│   │   ├── ISpokeCoreFactory.sol│   │   ├── ISpokeCoreRegistry.sol│   │   ├── ISwapModule.sol│   │   ├── ITokenRegistry.sol│   │   └── IWeirollVM.sol│   ├── libraries│   │   ├── CaliberAccountingCCQ.sol│   │   ├── DecimalsUtils.sol│   │   ├── Errors.sol│   │   └── MachineUtils.sol│   ├── machine│   │   ├── Machine.sol│   │   └── MachineShare.sol│   ├── pre-deposit│   │   └── PreDepositVault.sol│   ├── registries│   │   ├── ChainRegistry.sol│   │   ├── CoreRegistry.sol│   │   ├── HubCoreRegistry.sol│   │   ├── OracleRegistry.sol│   │   ├── SpokeCoreRegistry.sol│   │   └── TokenRegistry.sol│   ├── swap│   │   └── SwapModule.sol│   └── utils│       ├── MakinaContext.sol│       └── MakinaGovernable.sol└── src-ir    └── WeirollVM.sol

https://github.com/MakinaHQ/makina-periphery

.├── depositors│   └── DirectDepositor.sol├── factories│   ├── HubPeripheryFactory.sol│   └── MetaMorphoOracleFactory.sol├── fee-managers│   └── WatermarkFeeManager.sol├── flashloans│   └── FlashloanAggregator.sol├── interfaces│   ├── IAsyncRedeemer.sol│   ├── IDirectDepositor.sol│   ├── IFlashloanAggregator.sol│   ├── IHubPeripheryFactory.sol│   ├── IHubPeripheryRegistry.sol│   ├── IMachinePeriphery.sol│   ├── IMakinaPeripheryContext.sol│   ├── IMetaMorphoFactory.sol│   ├── IMetaMorphoOracleFactory.sol│   ├── ISecurityModule.sol│   ├── ISecurityModuleReference.sol│   ├── ISMCooldownReceipt.sol│   ├── IWatermarkFeeManager.sol│   └── IWhitelist.sol├── libraries│   └── Errors.sol├── oracles│   └── ERC4626Oracle.sol├── redeemers│   └── AsyncRedeemer.sol├── registries│   └── HubPeripheryRegistry.sol├── security-module│   ├── SecurityModule.sol│   └── SMCooldownReceipt.sol└── utils    ├── MachinePeriphery.sol    ├── MakinaPeripheryContext.sol    └── Whitelist.sol
Name
Description
Asset
Makina Core

Makina core contracts

https://github.com/MakinaHQ/makina-core

Out of scope

The Following findings are out of scope/acknowledged:

  • Issues related to Fee-on-Transfer ERC20s
  • Issues related to Rebasing ERC20s
  • DAO infra / strat configuration errors (wrong/malicious addresses being set etc)
  • Invalid arguments in setters (addresses, bps, durations…)
  • Minor gas optimisations impacting code readability
  • Inconsistencies / faulty behaviour in strategies due to hub chain not being Ethereum Mainnet
  • Incapability to bridge funds between chains due to external bridges downtime
  • Incapability to propagate accounting from a spoke chain due to Wormhole CCQ not being operational there
  • Incapability to propagate accounting from a spoke chain due to Wormhole CCQ downtime
  • RPCs returning wrong data to Wormhole CCQ leading to faulty share price
  • Incapability to account due to oracle downtime / shutting down
  • Faulty accounting due to oracle staleness and/or OracleRegistry staleness threshold too big
  • Faulty accounting due to oracle compromise
  • Accounting imprecision linked to oracle prices computation
  • External protocol compromise causing loss of funds in strategies
  • External protocol downtime causing incapability to account for a position
  • External downtime caused by reckless incompetent operators (bridge state mismatch)
  • Any loss of funds or share price inconsistency caused by faulty instructions, including but not limited to:
    • Loss of funds due to faulty instructions
    • Accounting inconsistency due to
      • Faulty accounting instruction
      • conflict between positions tokens and base tokens
      • Faulty/incomplete affectedTokens list or group ID
      • Instruction spending assets not registered as base tokens
      • Low liquidity / easily manipulable pools used to price tokens
  • Loss of funds caused by operator unable to react fast enough in case of emergency
  • Loss of funds caused by reckless incompetent operators (liquidation, overconcentration, illiquidity)
  • Losses caused by oracle price/liquidity pool manipulation, where an unchecked synchronous deposit is used
  • Value extraction via front/back-running of share price updates or deposit/redeem operations.
  • Losses caused to LPs of external liquidity pools holding Machine Tokens
  • Operator capability to extract small amounts of AUM or manipulate AUM accounting, both within the maximum loss bounds defined in the contracts.
  • Issues related to un-implemented deposit/redeem modules (atomic redemption/permissionless deposits)
  • Operator setting wrong bridge data hash on the receiver side
  • Too large amounts causing overflows during calculations
  • Issues related to non-standard flash loan providers
  • Homologous tokens across different chains with mismatched decimals (looking at you BSC)
  • Blockchains with legacy solidity versions or non standard EVM implementations
  • Blockchains shutting down or becoming unresponsive/unavailable
  • Issues related to app, wallets, user interfaces etc.
  • Issues related to collusion of DAO/SecurityCouncil/RiskManager/Operator
  • Known issues: Operator should always submit transactions through privacy preserving relays, and not through public mempools
  • Any offchain infrastructure at *.makina.finance

Default Out of Scope: