Circuit
Total reward
$1,500
No deposit required
Findings submitted
31
Start date
5 Nov 2025
Please sign in as a researcher to join the bounty.
Log inCircuit is a DeFi protocol built on the Chia blockchain
More specifically, Circuit is a collateralized debt position (CDP) protocol that allows users to borrow Bytecash (BYC), a USD stablecoin issued by the protocol, against XCH, the native token of Chia. Circuit is written in Chialisp
Scope
In-Scope Targets:
-
Core Contracts:
-
clsp and .clib files in https://github.com/circuitdao/puzzles
-
Commit ID 1f2bf0396a5a1d538f9a5fccbcfc11cdacce8293
-
Total LOC: ca. 6700
-
-
Other In-Scope Assets:
- We are providing an initial Statutes configuration (ISC), which defines the Statute values and constraints that the protocol will be launched with. The ISC is to be considered integral part of the protocol, and any vulnerability that results from the ISC is in-scope.
-
Initial Statutes Configuration (ISC):
- Statutes no. 0, 1, 2, 4 and 33 should be considered out-of-scope as those values can only be set at the time of protocol launch.
- Statutes no. 1 and 2 are discount factors given with PRECISION = 10,000,000,000. For example, if a Stability Fee of 5% per annum is desired at protocol launch, STATUTE_STABILITY_FEE_DF would be set to 10,000,000,928.
- Statute value no. 3 should always be nil as it is not used for anything.
- Statute no. 26 will in practice depend on the CRT market price, which is not known at the time of protocol deployment.
- Statute no. 34 is deliberately being set to 0 at launch. Although it lowers the incentive for Announcers to behave well, it’s important to sign up a sufficient number of Announcers first.
Initial Statutes Configuration (ISC)
| Index | Statute | Amount / Value | Unit |
|---|---|---|---|
| 0 | STATUTE_ORACLE_LAUNCHER_ID | set during protocol deployment | |
| 1 | STATUTE_STABILITY_FEE_DF | depends on market at time of launch | |
| 2 | STATUTE_INTEREST_DF | depends on market at time of launch | |
| 3 | STATUTE_CUSTOM_CONDITIONS | n/a | |
| 4 | STATUTE_ORACLE_M_OF_N | depends on number of governance-approved announcers at time of launch | |
| 5 | STATUTE_ORACLE_PRICE_UPDATE_DELAY | 21,600 | seconds |
| 6 | STATUTE_ORACLE_PRICE_UPDATE_RATIO_BPS | 200 | bps |
| 7 | STATUTE_PRICE_DELAY | 3,600 | seconds |
| 8 | STATUTE_VAULT_MINIMUM_DEBT | 250,000 | mBYC |
| 9 | STATUTE_VAULT_LIQUIDATION_RATIO_PCT | 166 | pct |
| 10 | STATUTE_VAULT_LIQUIDATION_PENALTY_BPS | 1,300 | bps |
| 11 | STATUTE_VAULT_INITIATOR_INCENTIVE_FLAT | 12,000 | mBYC |
| 12 | STATUTE_VAULT_INITIATOR_INCENTIVE_BPS | 800 | bps |
| 13 | STATUTE_VAULT_AUCTION_TTL | 2,400 | seconds |
| 14 | STATUTE_VAULT_AUCTION_STARTING_PRICE_FACTOR_BPS | 12,000 | bps |
| 15 | STATUTE_VAULT_AUCTION_PRICE_TTL | 150 | seconds |
| 16 | STATUTE_VAULT_AUCTION_PRICE_DECREASE_BPS | 500 | bps |
| 17 | STATUTE_VAULT_AUCTION_MINIMUM_PRICE_FACTOR_BPS | 2,500 | bps |
| 18 | STATUTE_VAULT_AUCTION_MINIMUM_BID_FLAT | 1,000,000 | mBYC |
| 19 | STATUTE_VAULT_AUCTION_MINIMUM_BID_BPS | 1,000 | bps |
| 20 | STATUTE_TREASURY_MINIMUM | 0 | mBYC |
| 21 | STATUTE_TREASURY_MAXIMUM | 10,000,000 | mBYC |
| 22 | STATUTE_TREASURY_MINIMUM_DELTA | 20,000 | mBYC |
| 23 | STATUTE_TREASURY_REBALANCE_RATIO_PCT | 400 | pct |
| 24 | STATUTE_AUCTIONS_MINIMUM_PRICE_INCREASE_BPS | 500 | bps |
| 25 | STATUTE_RECHARGE_AUCTION_TTL | 86,400 | seconds |
| 26 | STATUTE_RECHARGE_AUCTION_MINIMUM_CRT_PRICE | 10,000,000 | dekaCRT/nanoBYC |
| 27 | STATUTE_RECHARGE_AUCTION_BID_TTL | 1,200 | seconds |
| 28 | STATUTE_RECHARGE_AUCTION_MINIMUM_BID | 1,000,000 | mBYC |
| 29 | STATUTE_RECHARGE_AUCTION_MAXIMUM_BID | 10,000,000 | mBYC |
| 30 | STATUTE_SURPLUS_AUCTION_LOT | 1,000,000 | mBYC |
| 31 | STATUTE_SURPLUS_AUCTION_BID_TTL | 1,200 | seconds |
| 32 | STATUTE_ANNOUNCER_REWARDS_INTERVAL_PRICE_UPDATES | 100 | updates |
| 33 | STATUTE_ANNOUNCER_REWARDS_PER_INTERVAL | depends on number of governance-approved announcers at time of launch | mCRT |
| 34 | STATUTE_ANNOUNCER_MINIMUM_DEPOSIT_MOJOS | 0 | mojos |
| 35 | STATUTE_ANNOUNCER_MAXIMUM_VALUE_TTL | 900 | seconds |
| 36 | STATUTE_ANNOUNCER_PENALTY_INTERVAL_MINUTES | 15 | minutes |
| 37 | STATUTE_ANNOUNCER_PENALTY_PER_INTERVAL_BPS | 500 | bps |
| 38 | STATUTE_ANNOUNCER_DISAPPROVAL_MAXIMUM_PENALTY_BPS | 2,500 | bps |
| 39 | STATUTE_ANNOUNCER_DISAPPROVAL_COOLDOWN_INTERVAL | 7,776,000 | seconds |
| 40 | STATUTE_GOVERNANCE_BILL_PROPOSAL_FEE_MOJOS | 1,000,000,000,000 | mojos |
| 41 | STATUTE_GOVERNANCE_IMPLEMENTATION_INTERVAL | 21,600 | seconds |
| 42 | STATUTE_GOVERNANCE_COOLDOWN_INTERVAL | 86,400 | seconds |
| 43 | STATUTE_BLOCK_ISSUANCE | 0 | bool |
If you discover a vulnerability in any component that is not explicitly listed but poses a risk to user funds, user data, or the integrity of the system, you may submit it for consideration. The team will review such submissions on a case-by-case basis.
Out-of-Scope Targets:
- Expected behaviors such as trusted/untrusted roles and/or any accepted risks:
- Data provider collusion
- The majority of governance token holders colluding
- Issues identified in previous security reviews (incl Cantina audit competition) that the team decided not to fix or address (usually because they were of low or informational severity). Note however that fixes to issues identified in previous security reviews are in-scope, i.e. fixes that did not eliminate the vulnerability or introduced a new one.
- Web Interface / Application:
- https://circuitdao.com
- The app connects to a deployment of the protocol on Chia testnet11. The puzzles deployed are those of commit ID 1f2bf0396a5a1d538f9a5fccbcfc11cdacce8293. The app only exposes a subset of protocol operations. The full set of operations is accessible via the CLI: https://github.com/circuitdao/circuit-cli
Default Out of Scope:
- Please refer to the docs for default out of scope guidelines
Prohibited Actions
-
No Unauthorized Testing on Production Environments:
Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups. -
No Public Disclosure Without Consent:
Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose. -
No Exploitation or Data Exfiltration:
Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service. -
No Conflict of Interest:
Individuals currently or formerly employed by Voltage Technologies, or those who contributed to the development of the affected code, are ineligible to participate.
Disclosure Requirements
Please report vulnerabilities directly through the Spearbit/Cantina platform. Please include:
- A clear description of the vulnerability and its impact.
- Steps to reproduce the issue, ideally with a proof of concept.
- Details on the conditions under which the issue occurs.
- Potential implications if the vulnerability were exploited.
Reports should be made as soon as possible—ideally within 24 hours of discovery.
Eligibility
To be eligible for a reward, you must:
- Be the first to report a previously unknown, non-public vulnerability within the defined scope.
- Provide sufficient information to reproduce and fix the vulnerability.
- Not have exploited the vulnerability in any malicious manner.
- Not have disclosed the vulnerability to third parties before receiving permission.
- Comply with all Program rules and applicable laws.
You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.
Severity and Rewards
Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.
Risk Classification Matrix
| Severity Level | Impact: Critical | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|---|
| Likelihood: High | Critical | High | Medium | Low |
| Likelihood: Medium | High | High | Medium | Low |
| Likelihood: Low | Medium | Medium | Low | Informational |
Impact Definitions:
- Critical: Vulnerabilities that can lead to severe loss of user funds, permanent system disruption, or widespread compromise.
- High: Vulnerabilities that cause notable financial loss or significantly harm user trust, but on a lesser scale than Critical.
- Medium: Vulnerabilities that lead to limited financial damage or moderate system impact.
- Low/Informational: Findings that pose minimal direct risk but reflect areas for improvement or best practices.
Likelihood Definitions:
- High: Very easy to exploit or highly incentivized.
- Medium: Exploitation is possible under certain conditions.
- Low: Difficult to exploit or requires highly specific conditions.
Payout Guidelines
- Core Smart Contract Code
Total reward pool: $5,000
| Severity | Payout Range |
|---|---|
| Critical | Up to $1,500 |
| High | Up to $1,000 |
| Medium | Up to $500 |
| Low | Discretionary |
Note: Actual reward amounts are determined at Voltage Technologies’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.
Other Terms
By submitting a report, you grant Voltage Technologies the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Voltage Technologies. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.