Pendle Finance / Pendle Boros Bounty bounty

Pendle Boros is the first protocol that provides a marketplace for on-chain interest rate swaps. The protocol enables users to take long or short positions on variable interest rates with leverage through a hybrid system combining a central limit order book and AMM.

The bug bounty program is focused on smart contract security and is primarily concerned with preventing loss of user funds and protocol insolvency. Further resources regarding Boros can be found at boros.pendle.finance.

Upfront Expectations

We aim for reports with a clear, actionable outcome. A report is eligible for a reward under this program only if all of the following are true:

The report demonstrates an exploitable issue within in-scope contracts that can result in loss of user funds (or an equivalent direct financial impact, such as permanent fund freeze).
The report includes clear reproduction steps and a credible impact assessment.
The report proposes an actionable remediation or mitigation (code-level or operational), sufficient for the Pendle team to evaluate.
The issue is confirmed by the Pendle team under the rules of this program (including scope and eligibility criteria).

Please see the Out of Scope section for additional details.

SEAL Safe Harbor (Active Exploits)

Pendle has adopted the SEAL (Security Alliance) Whitehat Safe Harbor framework. Safe Harbor is intended for active exploits (i.e., hacks-in-progress), where whitehats may need to intervene to rescue funds and return them with clear pre-authorization and rules of engagement.

Authoritative references (please read these first):

Overview: https://frameworks.securityalliance.org/safe-harbor/overview/
Scope terms / definitions: https://frameworks.securityalliance.org/safe-harbor/scope-terms
Pendle’s Safe Harbor registry entry (contacts, terms, recovery details): https://safeharbor.securityalliance.org/database/pendle

Contracts in Scope

The following Boros core contracts deployed on Arbitrum are in scope:

Address	Contract
0x8080808080daB95eFED788a9214e400ba552DEf6	Router
0x1080808080f145b14228443212e62447C112ADaD	MarketHub
0x2080808080262c1706598c9DBDD3a0cD3601e5ea	AccessController
0x3080808080Ee6a795c1a6Ff388195Aa5F11ECeE0	MarketFactory
0x3205e972714B52512c837AE6f5FCFDeB07f0f23C	AMMFactory
0x353C6Ba99500f9F5a7937aF7BF26c8E40817518B	AdminModule
0xD0808080803c59dBF8825290bca8979786C2d65B	MakerIncentiveDistributor
0xD180808080402FE41711Db560B8db5C41e21Df71	AMMIncentiveDistributor
0xD2808080809a71248620a7ddc25b721d3DBe1058	ReferralIncentiveDistributor

Additionally, active markets and related contracts are also in scope:

The list of markets can be obtained at https://api.boros.finance/core/docs#/Markets/MarketsController_getMarkets
For each market, the in-scope contracts include Market, AMM, and FIndexOracle.
- For example, for market with ID 2, the following contracts are considered:
  - Market: 0xd490dd635051d609887883d364368b223631653d
  - AMM: 0xb57c34fbcb272510303675397055942b019ee45a
  - FIndexOracle: 0x3011dfd5736aeb5629d5db178a61b0094e2144b9
Matured markets will be considered if the vulnerability has system-wide impact or impacts on active markets.

Award Levels

Rewards are distributed based on vulnerability severity and potential economic impact.

Severity	Maximum Payout	Minimum Payout
Critical	Up to $500,000 USD	$50,000 USD
High	Up to $100,000 USD	$20,000 USD

Note: Rewards are capped at 10% of economic impact for fund-loss scenarios.

Severity Definitions

Technical Exploits

This covers vulnerabilities in smart contract implementation that could lead to theft or loss of funds. These are traditional bugs in the code itself, as opposed to economic design flaws covered in the next section.

Severity is determined by both the amount of funds at risk and likelihood of exploitation:

Likelihood	>=10% TVL	<10% TVL
High	Critical	High
Medium	High	Medium

For vulnerabilities that result in immediate token extraction out of Boros contracts, the funds at risk are calculated as 100% of exploitable amount.

For vulnerabilities that result in artificially inflated account balances but not immediate token extraction (i.e. still subject to withdrawal cooldown), the funds at risk are calculated as 20% of the exploitable amount (after deducting attack costs). However, a vulnerability that results in an inflated account balance that can be leveraged to cause protocol insolvency will be considered higher severity. This type of vulnerability will be assessed based on the potential total economic damage to the protocol, not just the capped amount.

Note: The adjusted funds at risk are used as the "economic impact" for reward calculation. For vulnerabilities mitigated by the cooldown mechanism, this effectively caps rewards at 2% of the exploitable amount (20% funds at risk × 10% reward cap). The minimum payout still applies.

Economic Exploits

Economic exploits are vulnerabilities in the protocol's design, as opposed to direct coding bugs, that can lead to systemic financial damage without necessarily involving a direct theft of funds. These include economic design flaws and manipulation strategies that exploit legitimate protocol mechanisms.

Unlike technical exploits where funds at risk can be calculated relatively precisely, economic exploits often have complex, cascading effects that make standardized calculations difficult. Therefore, severity will be determined on a case-by-case basis at Pendle's sole discretion, based on our assessment of the potential total financial damage to the protocol. Factors considered may include direct losses, user funds at risk, market dysfunction duration, confidence impact, and systemic risks. Pendle reserves the right to make final determinations on both the validity and severity of all economic exploit submissions.

Likelihood/Impact	Significant	Moderate
High	High or Critical	High
Medium	High	Medium

Other Vulnerabilities

For other vulnerabilities, the Pendle team exercises discretion, together with Cantina, to determine final severity based on the specific context and potential impact of each vulnerability.

Out of Scope

Security researchers are still encouraged to report the out of scope issues. Awards for out of scope issues to be determined at the discretion of Pendle Finance.

The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.

Excluded from Bounty Program

Issues not from contracts listed in "Contracts in Scope" section
Known issues from previous audits
Third-party protocols or tokens integrated with Boros
Frontend applications and UI bugs
Infrastructure vulnerabilities (DNS, servers, CDN)
MEV that doesn't violate protocol invariants
Issues requiring unlikely user behavior or social engineering
Vulnerabilities in underlying blockchain infrastructure

Specific Issue Types Not Eligible

Informational findings without security impact
Design choices and protocol architecture decisions
User errors preventable by frontend validation (e.g., transfers to address(0))
Minor rounding errors without economic impact
Gas consumption optimizations
Vulnerabilities requiring extreme market conditions

Issues Without Any Actionable Fixes

Along with a clear description and reproduction steps, reports must include an actionable remediation. A remediation can be either:

A concrete code-level change (patch, pseudo-code, or precise guidance on what to change), or
A concrete operational/design mitigation that we can realistically adopt (e.g., configuration constraints, process controls, monitoring + response, feature removal/disablement).

A report may be considered out of scope if:

It does not include a credible remediation or mitigation path, or
The reported impact relies on a condition that we can reasonably avoid through configuration, operational controls, or design choices (i.e., the protocol is not exposed under intended and reasonably expected operation), or
The proposed remediation is not feasible to implement or does not meaningfully reduce the reported risk.

We reserve the right to determine whether a mitigation is feasible and "reasonably avoidable" based on intended protocol usage and realistic operational constraints.

Other Types of Severity

Issues that do not have strong impact according to the severity criteria are considered out of scope.

We still encourage researchers to report such issues in good faith, as they can help us improve resilience and user safety. Please see the Goodwill Policy section below.

Goodwill Policy

We still encourage researchers to report issues even if they appear out of scope under this program. Security is our priority, and we’d rather hear about a potential weakness than miss it. Pendle frequently offers goodwill awards for high-quality, well-evidenced reports that identify unusual or previously unknown behaviors affecting the protocol. To date, Pendle has awarded over $20,000 in goodwill to researchers for such reports.

That said, out-of-scope reports are eligible for goodwill awards only at Pendle’s discretion. To keep this channel useful for everyone, we will prioritize submissions that are:

Clear, reproducible, and show a concrete security impact; and
Made in good faith (focused on helping us remediate or mitigate the issue, rather than seeking to litigate the interpretation of these rules).

We may close or mark as out of scope reports that are low-signal (e.g., generic best-practices, speculative concerns without a realistic impact, duplicates/known issues, or reports that require long back-and-forth without new technical information).

Rules and Guidelines

Testing Requirements

No Mainnet Testing: All testing must be on local forks (e.g., using Foundry)
Responsible Disclosure: No public disclosure before issue resolution
Confidentiality: Maintain strict confidentiality until authorized disclosure

Submission Rules

Each vulnerability must be reported separately
Only previously unknown vulnerabilities are eligible
No exploitation for profit or damage
First valid submission receives the reward for duplicates
Quality of submission significantly impacts reward amount

Eligibility

Eligible Participants:

Independent security researchers
White hat hackers
Security firms not previously engaged with Pendle

Ineligible Participants:

Current or former Pendle team members or contractors
Auditors who reviewed Boros code
Anyone with privileged access to Boros development

Resources

Other Terms

By submitting a report, you grant Pendle the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Pendle. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.