infinifi-protocol

infinifi-protocol

@infinifi
Live

Maximum reward

$100,000

Severity

Max. Reward

Critical

$100,000

High

$15,000

Findings submitted

22

Start date

8 Jun 2025

Please sign in as a researcher to join the bounty.

Log in
InstructionsScope

In scope

Core Smart Contract CodeWeb Interface / Application:

Severity

Min and Max Reward

Critical

Up to $100,000

High

Up to $15,000

Ethereum Contract Addresses

Asset
Description
CORE0xF6d48735EcCf12bDC1DF2674b1ce3fcb3bD25490
TIMELOCK_SHORT0x4B174afbeD7b98BA01F50E36109EEE5e6d327c32
TIMELOCK_LONG0x3D18480CC32B6AB3B833dCabD80E76CfD41c48a9
FARM_REGISTRY 0xF5f2718708f471e43968271956CC01aaA8c46119
MANUAL_REBALANCER0x160300d5C1eA377B823127d2D6668D43DD5C1d8A
RECEIPT_TOKEN0x48f9e38f3070AD8945DFEae3FA70987722E3D89c
STAKED_TOKEN0xDBDC1Ef57537E34680B898E1FEBD3D68c7389bCB
LOCKED_POSITION_TOKEN_10x12b004719fb632f1E7c010c6F5D6009Fb4258442
LOCKED_POSITION_TOKEN_20xf1839BeCaF586814D022F16cDb3504ff8D8Ff361
LOCKED_POSITION_TOKEN_30xed2a360FfDC1eD4F8df0bd776a1FfbbE06444a0A
LOCKED_POSITION_TOKEN_40x66bCF6151D5558AfB47c38B20663589843156078
LOCKED_POSITION_TOKEN_50xf0c4A78fEbf4062aeD39A02BE8a4C72E9857d7d1
LOCKED_POSITION_TOKEN_60xb06Cc4548FebfF3D66a680F9c516381c79bC9707
LOCKED_POSITION_TOKEN_70x3A744A6b57984eb62AeB36eB6501d268372cF8bb
LOCKED_POSITION_TOKEN_80xf68b95b7e851170c0e5123a3249dD1Ca46215085
LOCKED_POSITION_TOKEN_90xBB5cA732fAfEd8870F9C0e8406Ad707939c912E1
LOCKED_POSITION_TOKEN_100xd15fbf48c6dDdADC9Ef0693B060d80aF51cC26d5
LOCKED_POSITION_TOKEN_110xed030a37Ec6EB308A416Dc64dD4b649A2BBE4FCd
LOCKED_POSITION_TOKEN_120x3D360aB96B942c1251Ab061178F731eFEbc2d644
LOCKED_POSITION_TOKEN_130xbd3f9814eB946E617f1d774A6762cDbec0bf087A
UNWINDING_MODULE0x7092A43aE5407666C78dBEA657a1891f42b3dFcc
LOCKING_CONTROLLER0x1d95cC100D6Cd9C7BbDbD7Cb328d99b3D6037fF7
ACCOUNTING0x7A5C5dbA4fbD0e1e1A2eCDBe752fAe55f6E842B3
YIELD_SHARING0x9e8b926A0EB276eB380fb8282eA20c2A2faea967
ORACLE_IUSD0x8ABc952f91dB6695E765744ae340BC5eA4B344c1
ORACLE_USDC0x64b32f8198a4c89B1F10de7470Ff281513e2e8f5
ALLOCATION_VOTING0x49FA678BB8B2F5F8089493a6f93e1bb8500FF853
MINT_CONTROLLER0x49877d937B9a00d50557bdC3D87287b5c3a4C256
REDEEM_CONTROLLER0xCb1747E89a43DEdcF4A2b831a0D94859EFeC7601
AFTER_MINT_HOOK0xa5E274E6c2AbBd30E3A94e1A2dF7e6F5944797a8
BEFORE_REDEEM_HOOK0x4b2bFe49829dE3632449928507452EE667f61395
GATEWAY_IMPLEMENTATION_V10x7954D563cbD9ee121a77805BCe5fe3c44F296D33
GATEWAY_PROXY0x3f04b65Ddbd87f9CE0A2e7Eb24d80e7fb87625b5
EMERGENCY_WITHDRAWAL0xa406aFC7967C63C5c454AD1f0e0dB9a761fe26e9
MINOR_ROLES_MANAGER0xa08Bf802dCecd3c44E6420a52d5158867366be9b
ORACLE_USDE0x51Fc27C676C25C388735a51b760d64fE0acFf758
ORACLE_SUSD0xefE74995689f850123f67C73d61C64B03a7Dce17
ORACLE_USDO0x2630bbF66fc421E42DfffD370994fE1938D05083
FARM_AAVEV30xbFd5FC8DecA3C6128bfCE0FE46c25616811c3580
FARM_MORPHO_SMOKEHOUSE0x05b9E728e93D090Aa896B96D96Ad215b6Ca97e93
FARM_MORPHO_GAUNTLETCORE0xF7F724fdb7562850E2b068E0a52EC79a768AB884
FARM_MORPHO_GAUNTLETFRONTIER0x1D2ED96Cd1F9f89668978B8cf52B5F2E4eED9F5C
FARM_EULER_GAUNTLETYIELD0xBAfdc42C84Da2A79C5e72F25F610D84452e8d527
FARM_EULER_GAUNTLETPRIME0x082dE04C51d3d5332AF2d046923496B05cE00BB3
FARM_FLUID0x1484d6C834Ac99B9E50B17e57F85C8603F65657A
FARM_COWSWAP_SUSDE0x08ce17d83b3BEbb1C43A55a054d656ecBEbAffA7
FARM_PENDLEV2_SUSDE_202507310xCfdD5c03D640e4ecEF25f32C12411f71B976A4F5
FARM_PENDLEV2_USDE_202507310xc39fb0D8597adDB96Ab599eCA23a1556De17Bfe3
FARM_PENDLEV2_USDO_202506190xCCD2D84b9Ecec546Eacb7fb3e17f74Ac86B33728
FARM_PENDLEV2_EUSDE_202508140xE611D7DF6f6988cFCe36030061764c686E6f725C
FARM_PENDLEV2_SYRUPUSDC_202508210x7BA3Bc4E47F9c44847Caf58bA2e3957D984995A5
LPT_CURVE_ORACLE_V10x56af923033cbe7F6b83AEb9cBD7621076Fb26647

Out of scope

Out-of-Scope Targets:

  • Contracts listed in addresses.1.json that are deployed by third parties, like ERC20_USDC, ROUTER_PENDLE, … InfiniFi’s deployer address is 0xdecaDAc8778D088A30eE811b8Cc4eE72cED9Bf22 and all our contracts are verified on Etherscan
  • api.infinifi.xyz
  • Issues described in previous audit reports (Spearbit, Certora, Cantina), reports are available on our documentation website.

Default Out of Scope:

  • Issues found in previous security reviews,
  • Third-party contracts not under direct project control,
  • Issues with non-standard ERC20 tokens (unless explicitly supported by the project),
  • Rounding errors with no significant impact,
  • User errors requiring obviously incorrect parameter inputs,
  • Vulnerabilities that only manifest during extreme market conditions,
  • Incorrect data from third-party oracles
    • Note: Oracle manipulation and flash loan attacks are still in scope
  • Theoretical exploits without practical proof-of-concept,
  • Issues requiring access to leaked keys or credentials,
  • Issues arising from Sybil attacks
  • Centralization risks
  • Basic economic and governance attacks (such as 51% attacks)
  • Protocol design choices
  • Gas optimization issues and high gas costs
  • Best practice suggestions
  • Submissions generated using ChatGPT or other LLM tools