Pendle Boros Bounty
Total reward
$500,000
Findings submitted
35
Start date
19 Sep 2025
Please sign in as a researcher to join the bounty.
Log inPendle Boros is the first protocol that provides a marketplace for on-chain interest rate swaps. The protocol enables users to take long or short positions on variable interest rates with leverage through a hybrid system combining a central limit order book and AMM.
The bug bounty program is focused on smart contract security and is primarily concerned with preventing loss of user funds and protocol insolvency. Further resources regarding Boros can be found at boros.pendle.finance.
Contracts in Scope
The following Boros core contracts deployed on Arbitrum are in scope:
| Address | Contract |
|---|---|
| 0x8080808080daB95eFED788a9214e400ba552DEf6 | Router |
| 0x1080808080f145b14228443212e62447C112ADaD | MarketHub |
| 0x2080808080262c1706598c9DBDD3a0cD3601e5ea | AccessController |
| 0x3080808080Ee6a795c1a6Ff388195Aa5F11ECeE0 | MarketFactory |
| 0x3205e972714B52512c837AE6f5FCFDeB07f0f23C | AMMFactory |
| 0x353C6Ba99500f9F5a7937aF7BF26c8E40817518B | AdminModule |
| 0xD0808080803c59dBF8825290bca8979786C2d65B | MakerIncentiveDistributor |
| 0xD180808080402FE41711Db560B8db5C41e21Df71 | AMMIncentiveDistributor |
Additionally, active markets and related contracts are also in scope:
- The list of markets can be obtained at https://api.boros.finance/core/docs#/Markets/MarketsController_getMarkets
- For each market, the in-scope contracts include Market, AMM, and FIndexOracle.
- For example, for market with ID 2, the following contracts are considered:
- Matured markets will be considered if the vulnerability has system-wide impact or impacts on active markets.
Award Levels
Rewards are distributed based on vulnerability severity and potential economic impact.
| Severity | Maximum Payout | Minimum Payout |
|---|---|---|
| Critical | Up to $500,000 USD | $50,000 USD |
| High | Up to $100,000 USD | $20,000 USD |
| Medium | Up to $50,000 USD | $10,000 USD |
| Low | At discretion |
Note: Rewards are capped at 10% of economic impact for fund-loss scenarios.
Severity Definitions
Technical Exploits
This covers vulnerabilities in smart contract implementation that could lead to theft or loss of funds. These are traditional bugs in the code itself, as opposed to economic design flaws covered in the next section.
Severity is determined by both the amount of funds at risk and likelihood of exploitation:
| Likelihood | >10% TVL | 1-10% TVL | <1% TVL |
|---|---|---|---|
| High | Critical | High | Medium |
| Medium | High | Medium | Medium or Low |
| Low | Medium | Medium or Low | Low |
For vulnerabilities that result in immediate token extraction out of Boros contracts, the funds at risk are calculated as 100% of exploitable amount.
For vulnerabilities that result in artificially inflated account balances but not immediate token extraction (i.e. still subject to withdrawal cooldown), the funds at risk are calculated as 20% of the exploitable amount (after deducting attack costs). However, a vulnerability that results in an inflated account balance that can be leveraged to cause protocol insolvency will be considered higher severity. This type of vulnerability will be assessed based on the potential total economic damage to the protocol, not just the capped amount.
Note: The adjusted funds at risk are used as the "economic impact" for reward calculation. For vulnerabilities mitigated by the cooldown mechanism, this effectively caps rewards at 2% of the exploitable amount (20% funds at risk × 10% reward cap). The minimum payout still applies.
Economic Exploits
Economic exploits are vulnerabilities in the protocol's design, as opposed to direct coding bugs, that can lead to systemic financial damage without necessarily involving a direct theft of funds. These include economic design flaws and manipulation strategies that exploit legitimate protocol mechanisms.
Unlike technical exploits where funds at risk can be calculated relatively precisely, economic exploits often have complex, cascading effects that make standardized calculations difficult. Therefore, severity will be determined on a case-by-case basis at Pendle's sole discretion, based on our assessment of the potential total financial damage to the protocol. Factors considered may include direct losses, user funds at risk, market dysfunction duration, confidence impact, and systemic risks. Pendle reserves the right to make final determinations on both the validity and severity of all economic exploit submissions.
| Likelihood/Impact | Significant | Moderate | Minimal |
|---|---|---|---|
| High | High or Critical | High | Medium |
| Medium | High | Medium | Low |
| Low | Medium | Low | Low |
Other Vulnerabilities
For other vulnerabilities, the Pendle team exercises discretion, together with Cantina, to determine final severity based on the specific context and potential impact of each vulnerability.
Out of Scope
Security researchers are still encouraged to report the out of scope issues. Awards for out of scope issues to be determined at the discretion of Pendle Finance.
The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.
Excluded from Bounty Program
- Issues not from contracts listed in "Contracts in Scope" section
- Known issues from previous audits
- Third-party protocols or tokens integrated with Boros
- Frontend applications and UI bugs
- Infrastructure vulnerabilities (DNS, servers, CDN)
- MEV that doesn't violate protocol invariants
- Issues requiring unlikely user behavior or social engineering
- Vulnerabilities in underlying blockchain infrastructure
Specific Issue Types Not Eligible
- Informational findings without security impact
- Design choices and protocol architecture decisions
- User errors preventable by frontend validation (e.g., transfers to
address(0)) - Minor rounding errors without economic impact
- Gas consumption optimizations
- Vulnerabilities requiring extreme market conditions
Rules and Guidelines
Testing Requirements
- No Mainnet Testing: All testing must be on local forks (e.g., using Foundry)
- Responsible Disclosure: No public disclosure before issue resolution
- Confidentiality: Maintain strict confidentiality until authorized disclosure
Submission Rules
- Each vulnerability must be reported separately
- Only previously unknown vulnerabilities are eligible
- No exploitation for profit or damage
- First valid submission receives the reward for duplicates
- Quality of submission significantly impacts reward amount
Eligibility
Eligible Participants:
- Independent security researchers
- White hat hackers
- Security firms not previously engaged with Pendle
Ineligible Participants:
- Current or former Pendle team members or contractors
- Auditors who reviewed Boros code
- Anyone with privileged access to Boros development
Resources
Other Terms
By submitting a report, you grant Pendle the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Pendle. The terms, conditions, and scope of this Program may be revised at any time. Participants are responsible for reviewing the latest version before submitting a report.