How it worksCompetitionsReviewsGuildsBountiesPortfolioBlog
Sign in
profile image

Delv / DELV Bounty

The bug bounty program is focused on DELV's Hyperdrive smart contracts and is mostly concerned with the loss of user funds and access to those funds without user permission.

To be eligible for a reward under the DELV Bug Bounty Program, you must:

  • Discover a previously unreported and non-public vulnerability that would result in a loss of or a lock on any ERC-20 token in Hyperdrive. Each bug will only be considered for a reward once. This does not include third-party platforms interacting with the system.
  • Be the first to disclose the unique vulnerability, in compliance with the disclosure requirements and the section below.
  • Provide sufficient information to enable our team to reproduce and fix the vulnerability. This includes providing a PoC.
  • Not engage in any unlawful conduct when disclosing the bug, including through threats, demands, or any other coercive tactics.
  • Not exploit the vulnerability in any way, including through making it public or by obtaining a profit (other than the reward subject under this Program).
  • Submit only one vulnerability per submission, unless you need to bundle vulnerabilities together in order to provide an accurate assessment of impact regarding any of the vulnerabilities.
  • Not submit a vulnerability caused by an underlying issue that is the same as an issue on which a reward has been paid under this Program.
  • Not be one of our current or former employees or contractors.
  • Comply with all applicable laws.
    • Not be listed on any sanctions list of the United States, the United Kingdom, the European Union, or the United Nation, or directly or indirectly owned by or associated with such sanctioned person, or operating from or ordinarily resident in any jurisdiction subject to such sanctions.

Smart Contracts in Scope

delvtech/hyperdrive

Target URLType
StETHTarget3Deployer.solStETHTarget3Deployer
StETHTarget1Deployer.solStETHTarget1Deployer
StETHHyperdriveDeployerCoordinator.solStETHHyperdriveDeployerCoordinator
StETHHyperdriveCoreDeployer.solStETHHyperdriveCoreDeployer
StETHTarget2Deployer.solStETHTarget2Deployer
StETHTarget0Deployer.solStETHTarget0Deployer
HyperdriveDeployerCoordinator.solHyperdriveDeployerCoordinator
LsETHTarget2Deployer.solLsETHTarget2Deployer
LsETHHyperdriveDeployerCoordinator.solLsETHHyperdriveDeployerCoordinator
LsETHHyperdriveCoreDeployer.solLsETHHyperdriveCoreDeployer
LsETHTarget1Deployer.solLsETHTarget1Deployer
LsETHTarget3Deployer.solLsETHTarget3Deployer
LsETHTarget0Deployer.solLsETHTarget0Deployer
EzETHHyperdriveCoreDeployer.solEzETHHyperdriveCoreDeployer
EzETHTarget2Deployer.solEzETHTarget2Deployer
EzETHTarget3Deployer.solEzETHTarget3Deployer
EzETHTarget0Deployer.solEzETHTarget0Deployer
EzETHHyperdriveDeployerCoordinator.solEzETHHyperdriveDeployerCoordinator
EzETHTarget1Deployer.solEzETHTarget1Deployer
ERC4626Target0Deployer.solERC4626Target0Deployer
ERC4626Target2Deployer.solERC4626Target2Deployer
ERC4626Target3Deployer.solERC4626Target3Deployer
ERC4626HyperdriveCoreDeployer.solERC4626HyperdriveCoreDeployer
ERC4626HyperdriveDeployerCoordinator.solERC4626HyperdriveDeployerCoordinator
ERC4626Target1Deployer.solERC4626Target1Deployer
RETHTarget1Deployer.solRETHTarget1Deployer
RETHTarget0Deployer.solRETHTarget0Deployer
RETHHyperdriveDeployerCoordinator.solRETHHyperdriveDeployerCoordinator
RETHHyperdriveCoreDeployer.solRETHHyperdriveCoreDeployer
RETHTarget3Deployer.solRETHTarget3Deployer
RETHTarget2Deployer.solRETHTarget2Deployer
HyperdriveTarget0.solHyperdriveTarget0
HyperdriveTarget3.solHyperdriveTarget3
Hyperdrive.solHyperdrive
HyperdriveTarget1.solHyperdriveTarget1
HyperdriveTarget2.solHyperdriveTarget2
StETHTarget1.solStETHTarget1
StETHHyperdrive.solStETHHyperdrive
StETHTarget2.solStETHTarget2
StETHTarget0.solStETHTarget0
StETHBase.solStETHBase
StETHTarget3.solStETHTarget3
LsETHTarget0.solLsETHTarget0
LsETHHyperdrive.solLsETHHyperdrive
LsETHBase.solLsETHBase
LsETHTarget1.solLsETHTarget1
LsETHTarget2.solLsETHTarget2
LsETHTarget3.solLsETHTarget3
EzETHHyperdrive.solEzETHHyperdrive
EzETHTarget0.solEzETHTarget0
EzETHTarget1.solEzETHTarget1
EzETHTarget2.solEzETHTarget2
EzETHBase.solEzETHBase
EzETHTarget3.solEzETHTarget3
ERC4626Target3.solERC4626Target3
ERC4626Base.solERC4626Base
ERC4626Target1.solERC4626Target1
ERC4626Hyperdrive.solERC4626Hyperdrive
ERC4626Target2.solERC4626Target2
ERC4626Target0.solERC4626Target0
RETHTarget0.solRETHTarget0
RETHHyperdrive.solRETHHyperdrive
RETHTarget2.solRETHTarget2
RETHTarget1.solRETHTarget1
RETHBase.solRETHBase
RETHTarget3.solRETHTarget3
HyperdriveBase.solHyperdriveBase
HyperdriveLP.solHyperdriveLP
HyperdriveStorage.solHyperdriveStorage
HyperdriveAdmin.solHyperdriveAdmin
HyperdriveCheckpoint.solHyperdriveCheckpoint
HyperdriveLong.solHyperdriveLong
HyperdriveMultiToken.solHyperdriveMultiToken
HyperdriveShort.solHyperdriveShort
HyperdriveCheckpointSubrewarder.solHyperdriveCheckpointSubrewarder
HyperdriveCheckpointRewarder.solHyperdriveCheckpointRewarder
Errors.solErrors
YieldSpaceMath.solYieldSpaceMath
Constants.solConstants
FixedPointMath.solFixedPointMath
HyperdriveMath.solHyperdriveMath
AssetId.solAssetId
SafeCast.solSafeCast
LPMath.solLPMath
HyperdriveRegistry.solHyperdriveRegistry
HyperdriveFactory.solHyperdriveFactory
ERC20ForwarderFactory.solERC20ForwarderFactory
ERC20Forwarder.solERC20Forwarder

Disclosure and Reporting Guidelines

To be eligible for a bounty, we require that Bug bounty hunters, security engineers, and researchers must:

  • Make it a priority to avoid privacy violations, degradation of user experience, and disruption to production systems during security testing.
  • Report vulnerabilities as soon as they have been discovered and keep them confidential between yourself and the DELV team. You may not use (other than as necessary to participate in this bug bounty program) and may not disclose to a third party any DELV confidential information, including identified vulnerabilities.
  • Only use the Cantina.xyz bug reporting interface to report vulnerability information to us.
  • Provide the team with at least 5 working days to investigate the issue and get back to you before taking any further action.
  • DELV reserves the right to verify that the bounty hunter/researcher/security engineer meets these requirements and is eligible for payment.
  • By reporting a vulnerability, you assign to Cantina (who assigns it to DELV) any intellectual property developed from your participation in this bug bounty program.

Severity Definitions

Smart Contracts

Severity levelImpact: HighImpact: Medium
Likelihood:high$100,000.00 (Critical)$20,000.00 (High)
Likelihood:medium$20,000.00 (High)$5,000.00 (Medium)

Critical

  • Direct theft of any user funds,

High

  • Any governance voting result manipulation
  • Temporary freezing of funds

Medium

  • Smart contract unable to operate due to lack of token funds
  • Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
  • Theft of gas
  • Unbounded gas consumption

Low

  • At the discretion of DELV

Not all bugs will be material or warrant a bounty.

Out of Scope (all repositories)

Known Issues

  • all acknowledged issues in the delvtech/hyperdrive repo are considered out of scope
  • all known issues in previous security reviews are considered out of scope
  • (any attempted fixes, that do not remediate the issue, remain in scope if the vulnerability exists after the fix)

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol.
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.
  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)
  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Sybil attack

Prohibited Actions

  • Live testing on public chains, including public mainnet deployments and public testnet deployments.
    • We recommend testing on local forks, for example using foundry.
  • Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of bugs or unpatched vulnerabilities. See "Disclosure and Reporting Guidelines" above for additional protections of DELV's confidential information.

Summary

Status

Live

Total reward:

$100,000 USDC

Start date:

10 Jul 2024 8:00pm (local time)

The first marketplace for web3 security. We've aggregated the security talent and solutions so you don't have to.

Services

CompetitionsReviewsBountiesGuilds

© 2024 Cantina. All rights reserved.