Kiln Defi Bounty
Kiln DeFi enables non-custodial platforms to propose DeFi yield products (like lending supply or rwa distributor) where users can deposit any amount of ERC20 on a vault while remaining the only one able to access their staked assets.
The goal of these EVM Smart Contracts is to enable:
- Users to deposit to supported protocols with a common 4626 interface
- Enable Integrators, and any third parties enabled by the integrator to have a fee on the rewards generated or on the deposit, dispatched on-chain
This Bug Bounty is focused on Kiln DeFi Smart Contracts only, all items regarding dApps or indexing / reporting stacks are out of scope but can be submitted at [email protected].
For more information about Kiln DeFi, please visit https://www.kiln.fi/defi
Smart Contracts in Scope
Ethereum mainnet
| Smart Contract | Link |
|---|---|
| Vault Implementation | 0x1d7f221965e68475d44d1a8357f3211799b55e24 |
| VaultUpgradeableBeacon | 0x15f7f910e5a8c86e609fd11c58f7342d86d3a25c |
| ConnectorRegistry | 0xEEEBc7537717a39b747015FEaE221C1F069daE0b |
| VaultFactory | 0xA59a98872393BE8410C42f8EED13821fa85A32a1 |
| AaveV3Connector | 0x0D97Fa6C8F668E98C1ED9f6bB9Ec6d245d11DF41 |
| CompoundV3Connector | 0xF259CF58d4ddc9E3C8AbEA3EEBA5710db3F71045 |
| CompoundV3MarketRegistry | 0x08f80358Ce68363Ec06304cE667F1727246C852D |
| SDAIConnector | 0xb569824646a31fc950abe23B150d020c38B59D26 |
| Proxy (Bitcoin.com Spark DAI vault) | 0xF4918Ef824a242602E0d3e5DB07fFd4DaC4ad3Ea |
BNB mainnet
| Smart Contract | Link |
|---|---|
| Vault Implementation | 0x59d323355F4b257097e041C4776b7492Ed294Ea4 |
| VaultUpgradeableBeacon | 0x50006F2C5C914cEF560ceeD7686f038480199202 |
| ConnectorRegistry | 0xdaAd68A24d658F8e123b8620Fd8249C340749eCf |
| VaultFactory | 0x004074879Bc69E9B95084580A6Cc132a19b7A3Ac |
| AaveV3Connector | 0x124d426898eF174aa8D23f548fCfd13c34F91D2B |
| Proxy (Cool Wallet AaveV3 USDT) | 0x4d1806C26A728f2e1b82b4549b9E074DBE5940B9 |
Arbitrum mainnet
| Smart Contract | Link |
|---|---|
| Vault Implementation | 0x55Ee64c446c44e2bDcbD4242341D4a5A2DD61034 |
| VaultUpgradeableBeacon | 0xB03DDF4375E879B8E3bc240527bc55988c975ac4 |
| ConnectorRegistry | 0x75df468D9Aa3438cd12d98606Bb71B73145e9972 |
| VaultFactory | 0xd717eDe67EE3c5cAf385E392f2176c320E06Dd9d |
| AaveV3Connector | 0x431ED6d951C0d97D9B33Fb5e26Bc589D75C3D05d |
| CompoundV3Connector | 0x0F3Fa73dcF101F328AbFdD9176Cd11a16BD7bc16 |
| CompoundV3MarketRegistry | 0x9cb057f462BBd076E5dD30C5f5d5dfa97ab006D3 |
| Proxy (Bitnovo Compound v3 USDC) | 0x19A0F016Ac3989e754ab8216810beD8503bDA37e |
Polygon mainnet
| Smart Contract | Link |
|---|---|
| Vault Implementation | 0xD04a891b7d4c42f51FCF6e88e47800dAec5B0CbF |
| VaultUpgradeableBeacon | 0x89312A13D978820F15bC9414ef6ec9cC004C5D1f |
| ConnectorRegistry | 0xB55BCCcc4837FD5E960944cf2828e202deBF0891 |
| VaultFactory | 0x8cC927d0CFb6F9ddC4E6d20f5e5d23E8162eA602 |
| AaveV3Connector | 0xa85aa46892D9a0087B59883F417bF23C3Ab4c920 |
| Proxy (Cool Wallet AaveV3 USDT) | 0x03441c89e7b751bb570f9dc8c92702b127c52c51 |
Optimism mainnet
| Smart Contract | Link |
|---|---|
| Vault Implementation | 0x4094fc930CcFe3fc3A9369BE7335467dac8b20fa |
| VaultUpgradeableBeacon | 0xE1CacE168150265E1b1bC6E9c1636B747928a1D8 |
| ConnectorRegistry | 0x30cD15434d0d979b75ACe5116199d26623F6A804 |
| VaultFactory | 0xC65f4f4E6eFaeB68F900B90AfB00bF9D5A71D102 |
| AaveV3Connector | 0x35a60d4bDeedb3d6103ae1521cd985C649D81297 |
| Proxy (Dakota AAVE v3 USDC) | 0xb9ebff375d5eade50ed561f611754902f70e34cf |
Documentation for the assets provided in the table can be found at https://docs.kiln.fi/v1/kiln-products/defi.
Severity Definitions
Smart Contracts severity levels
| Severity level | Impact: High | Impact: Medium | Impact: Low |
|---|---|---|---|
| Likelihood:high | Critical | High | Medium |
| Likelihood:medium | High | Medium | - |
| Likelihood:low | Medium | - | - |
Critical: - Complete loss of funds or permanent freezing of funds
High: - Theft of unclaimed yield, or Permanent freezing of unclaimed yield - Temporary freezing of funds > 2 days (excluding potential delay due to an oracle).
Medium: - Smart contracts inoperable due to lack of funds - Griefing or unbounded gas consumption - Theft of any commission/fees
A PoC is required for the following severity levels:
- Smart Contract:
- Critical
- High
- Medium
Rewards
Rewards for Smart Contract Bugs
| Severity | Reward Amount |
|---|---|
| Critical | $500,000 |
| High | $50,000 |
| Medium | $20,000 |
Reward Levels
-
Critical: Upto 500,000, Minimum payout 100,000 Rewards will be further capped at 10% of direct funds at risk based on the valid POC provided.
-
High: Upto 50,000, Minimum payout 20,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided. In case of a temporary freeze of funds, reward is proportional to the amount of funds locked and increases as the freeze duration increases up until the maximum cap of the High severity levels.
-
Medium: Upto 20,000, Minimum payout $5,000 Rewards will be further capped at 100% of direct funds at risk based on the valid POC provided.
-
The bug bounty will have a hard cap of $1,000,000. In the case of multiple bug findings are submitted that exceed this amount, the rewards will be distributed on a first come first served basis.
Out of Scope
These impacts are out of scope for this bug bounty program. General:
- Consequences resulting from exploits the reporter has already carried out, which lead to damage.
- Issues caused by attacks that require access to leaked keys or credentials.
- Problems arising from attacks that need access to privileged roles (e.g., governance or strategist), except when the contracts are explicitly designed to prevent privileged access to functions that enable the attack.
- Issues relying on attacks triggered by the depegging of an external stablecoin, unless the attacker causes the depegging due to a bug in the code.
- References to secrets, access tokens, API keys, private keys, etc., that are not being used in production.
Smart Contracts:
- Issues arising from incorrect data provided by third-party oracles, with the exception of oracle manipulation or flash loan attacks.
- Attacks that rely on basic economic or governance vulnerabilities, such as a 51% attack.
- Problems related to insufficient liquidity.
- Issues stemming from Sybil attacks.
- Concerns involving risks of centralization.
- Suggestions for best practices.
Roles:
- Admin, proxy admin, hatcher admin, treasury, oracles and other admin roles are trusted to behave properly and in the best interest of the users. They should not be considered as malicious. Submission citing malicious behaviour of these roles will be considered invalid.
Known Issues
Known issues listed and acknowledged below are not eligible for any reward through the bug bounty program.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol.
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Disclosure
Researchers who submit valid vulnerability reports agree to adhere to the following responsible disclosure process:
- Upon confirmation of a valid vulnerability, Kiln will work diligently to develop and implement a fix.
- Once the fix is deployed to production, Kiln will notify the researcher and initiate a 1-month (30 calendar days) disclosure waiting period.
- During this waiting period, the researcher must maintain strict confidentiality regarding the vulnerability and shall not disclose any information about it to third parties or the public.
- After the 1-month period has elapsed following the production deployment of the fix, the researcher may publicly disclose the vulnerability, provided they have obtained written approval from Kiln regarding the content of the disclosure.
- The researcher agrees to coordinate with Kiln on the timing and content of any public disclosure to ensure all parties are prepared and to minimize potential risks to users.
- If the researcher discovers that the vulnerability has become publicly known before the end of the waiting period, they should immediately notify Kiln. Kiln reserves the right to request an extension of the waiting period in exceptional circumstances, which will be communicated to the researcher in writing.
Eligibility
Security researchers who fall under any of the following are ineligible for a reward
- Any person included on the List of Specially Designated Nationals and Blocked Persons maintained by the US Treasury Department’s Office of Foreign Assets Control (OFAC) or on any list pursuant to European Union (EU) and/or United Kingdom (UK) regulations.
KYC
The following information is required for payments:
- If the claim comes from an individual:
- The first names, surnames, date and place of birth of the person concerned
- A Valid ID
- If the claim comes from a business:
- Legal form, name, registration number and address of the registered office
- Valid certificate of incorporation
- List of shareholders/directors
- The first names, surnames, date and place of birth of the person concerned
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Any denial of service attacks that are executed against project assets
- Automated testing of services that results in a denial of service
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
- Attempting phishing or other social engineering attacks against our employees and/or customers
Total reward
$500,000
Findings submitted
2
Start date
9 Sep 2024
Please sign in as a researcher to join the bounty.
Log in