cork-protocol

Cork is the protocol for tokenizing the risk of depeg events for stablecoins and liquid (re)staking tokens. It introduces Depeg Swaps, permissionless tokens representing the risk position of a certain asset losing its correlated peg. A new type of risk marketplace, in Cork the price of depeg swaps are established by the market, allowing people to gauge the market’s sentiment of a pegged assets’ stability. Depeg swaps can be bought (to get protection against an depeg or bet that a peg will hold) or sold (to bet that a peg will be lost) and create a new financial primitive to price, hedge, and trade depeg risks.

For more information about Cork, please visit https://www.cork.tech/

Scope

Assets in Scope

• Smart Contracts:

  • AssetFactory Implementation
  • AssetFactory
  • Cork Config
  • FlashSwapRouter Implementation
  • FlashSwap Router
  • ModuleCore Router Implementation
  • Module Core
  • Liquidity Token
  • Hook
  • Withdrawal
  • Exchange Rate Provider

• Web/app

  • https://app.cork.tech

Out-of-Scope Targets:

• Previous Audits
  • Any unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
• Impacts relying on known vulnerabilities that were publicly acknowledged by Cork through Issues or Pull Requests in any of Cork’s Public Github repositories at:
  • https://github.com/Cork-Technology.
• Impacts relying on maintenance windows that have been publicly disclosed on
  • www.cork.tech or
  • app.cork.tech
• Impacts relying on vulnerabilities within our 3rd-party code dependencies that have already been publicly disclosed by any party, including the security researcher

Prohibited Actions

• No Unauthorized Testing on Production Environments:
  Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.

• No Public Disclosure Without Consent:
  Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.

• No Exploitation or Data Exfiltration:
  Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.

• No Conflict of Interest:
  Individuals currently or formerly employed by Cork Protocol, or those who contributed to the development of the affected code, are ineligible to participate.

Disclosure Requirements

The report must include:

• A clear description of the vulnerability and its impact.
• Steps to reproduce the issue, ideally with a proof of concept.
• Details on the conditions under which the issue occurs.
• Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

• Be the first to report a previously unknown, non-public vulnerability within the defined scope.
• Provide sufficient information to reproduce and fix the vulnerability.
• Not have exploited the vulnerability in any malicious manner.
• Not have disclosed the vulnerability to third parties before receiving permission.
• Comply with all Program rules and applicable laws.
• Should not be on OFACs SDN list
• Should not be an official contributor, either in past or atpresent
• Should not be employees and/or individuals closely associated with the project
• Should not be security auditors that directly or indirectly participated in the audit review

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Risk Classification Matrix

Severity Level	Impact: Critical	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium	Low
Likelihood: Medium	High	High	Medium	Low
Likelihood: Low	Medium	Medium	Low	Informational

Impact Definitions:

• Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
• High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
• Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
• Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.

Likelihood Definitions:

• High: Very easy to exploit or highly incentivized.
• Medium: Exploitation is possible under certain conditions.
• Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

• Smart Contract Code

Risk Score	Reward Amount
Critical	USD 30,000 - USD 100,000
High	USD 10,000 - USD 30,000

• Web Interface / Frontend

Severity	Reward Amount
Critical	TBD

• For critical smart contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 100,000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 30,000 is to be rewarded in order to incentivize security researchers against withholding a critical bug report.

Repeatable Attack Limitations

• If the smart contract where the vulnerability exists can be upgraded or paused, only the initial attack will be considered for a reward. This is because the project can mitigate the risk of further exploitation by upgrading or pausing the component where the vulnerability exists. The reward amount will depend on the severity of the impact and the funds at risk.

• For critical repeatable attacks on smart contracts that cannot be upgraded or paused, the project will consider the cumulative impact of the repeatable attacks for a reward. This is because the project cannot prevent the attacker from repeatedly exploiting the vulnerability until all funds are drained and/or other irreversible damage is done. Therefore, this warrants a reward equivalent to 10% of funds at risk, capped at the maximum critical reward.

Reward Calculation for High Level Reports

• High vulnerabilities concerning theft/permanent freezing of unclaimed yield/royalties are rewarded within a range of USD 10,000 to USD 30,000 depending on the funds at risk, capped at the maximum high reward.

• In the event of temporary freezing, the reward doubles from the full frozen value for every additional 24h that the funds are temporarily frozen, up until a max cap of the high reward. This is because as the duration of the freezing lengthens, the potential for greater damage and subsequent reputational harm intensifies. Thus, by increasing the reward proportionally with the frozen duration, the project ensures stronger incentives for bug disclosure of this nature.

For critical web/apps bug reports will be rewarded with USD TBD only if the impact leads to:

• A loss of funds involving an attack that does not require any user action
• Private key or private key generation leakage leading to unauthorized access to user funds

All other impacts that would be classified as Critical would be rewarded a flat amount of USD TBD. The rest of the severity levels are paid out according to the Impact in Scope table.

Note: Actual reward amounts are determined at Cork’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Cork the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Cork. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.