Liquity
Maximum reward
125,000 BOLD
Severity
Max. Reward
Critical125,000 BOLD
High62,500 BOLD
Medium12,500 BOLD
Findings submitted
39
Start date
1 Jul 2025
Please sign in as a researcher to join the bounty.
Log inLiquity v2 is a collateralized debt platform. Users can lock up WETH and/or select LSTs, and issue stablecoin tokens (BOLD) to their own Ethereum address. The individual collateralized debt positions are called Troves. The stablecoin tokens are economically geared towards maintaining value of 1 BOLD = $1 USD, due to the following properties: The system is designed to always be over-collateralized - the dollar value of the locked collateral exceeds the dollar value of the issued stablecoins. The stablecoins are fully redeemable - users can always swap x BOLD for $x worth of a mix of WETH and LSTs (minus fees), directly with the system. The system incorporates an adaptive interest rate mechanism, managing the attractiveness and thus the demand for holding and borrowing the stablecoin in a market-driven way. Upon opening a Trove by depositing a viable collateral ERC20, users may issue ("borrow") BOLD tokens such that the collateralization ratio of their Trove remains above the minimum collateral ratio (MCR) for their collateral branch. For example, for an MCR of 110%, a user with $10000 worth of WETH in a Trove can issue up to 9090.90 BOLD against it. The BOLD tokens are freely exchangeable - any Ethereum address can send or receive BOLD tokens, whether it has an open Trove or not. The BOLD tokens are burned upon repayment of a Trove's debt. The Liquity v2 system prices collateral via Chainlink oracles. When a Trove falls below the MCR, it is considered under-collateralized, and is vulnerable to liquidation.
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission, from the Liquity team, to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Liquity, or those who contributed to the development of the affected code, including previous security contractors, are ineligible to participate.
Disclosure Requirements
Please report vulnerabilities directly to the cantina.xyz bug bounty platform. Include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue (proof of concept preferred).
- Conditions under which the issue occurs.
- Potential implications if exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within scope.
- Provide sufficient information to reproduce and fix the issue.
- Not have exploited the vulnerability in a malicious manner.
- Not have disclosed the vulnerability to third parties prior to receiving permission from the Liquity team.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires very specific conditions.
Payout Guidelines
| Severity | liquity/bold | liquity/V2-gov |
|---|---|---|
| Critical | Up to $125,000 | Up to $25,000 |
| High | Up to $62,500 | Up to $12,500 |
| Medium | Up to $12,500 | Up to $2,500 |
| Low | Discretionary | Discretionary |
Note: Actual reward amounts are determined at Liquity’s sole discretion. Factors influencing payout include report quality, completeness, and severity/exploitability.
Other Terms
By submitting a report, you grant Liquity the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Liquity. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.