3F / 3F Grunt bounty

3F is a protocol that brings on-chain leverage to yield opportunities that can't be looped atomically. In typical DeFi, leverage is simple: deposit, borrow, and redeposit in a single transaction. But RWAs and other asynchronous yield sources settle over days or weeks, making that kind of instant looping impossible. 3F bridges this gap by enabling leverage to be built up in one settlement cycle of the underlying RWA, using bridge loans whose usage is narrowly scoped and enforced entirely on-chain.

A vault depositor (3F LP) provides the initial equity and Bridge Facilitators lend the remaining capital. The combined capital is routed into an on-chain fund, and the Bridge Facilitator is refinanced once the leveraged position is established in a DeFi market, leaving the user with the leveraged exposure they wanted. At its core, 3F is a coordination layer that brings four sides together into a single, on-chain leveraged flow.

Severity Definitions

Vulnerabilities are classified by Impact and Likelihood; the combination determines the final severity.

Impact

Critical: Leads to severe loss of user funds, permanent system disruption, or widespread compromise.
High: Causes notable financial loss or significantly harms user trust, but on a lesser scale than Critical.
Medium: Results in limited financial damage or moderate system impact.
Low / Informational: Minimal direct risk but may indicate areas for improvement.

Likelihood

High: Very easy to exploit or highly incentivized.
Medium: Exploitation is possible under certain conditions.
Low: Difficult to exploit or requires very specific conditions.

In addition to the above definitions, we will also use the Cantina Bug Bounty Severity Classification Framework to determine severity.

Prohibited Actions

No unauthorized testing on production environments: Do not test vulnerabilities on mainnet or public testnet deployments without prior authorization. Use local test environments or private test setups.
No public disclosure without consent: Do not publicly disclose details of any vulnerability before it has been addressed and you have received written permission to disclose.
No exploitation or data exfiltration: Do not exploit the vulnerability beyond the minimum steps necessary to demonstrate the issue. Do not access private data, engage in social engineering, or disrupt service.
No conflict of interest: Individuals currently or formerly employed by 3F Labs, or who contributed to the development of the affected code, are ineligible to participate.

Eligibility

To be eligible for a reward, you must:

Be the first to report a previously unknown, non-public vulnerability within scope.
Provide sufficient information to reproduce and fix the issue.
Not have exploited the vulnerability in a malicious manner.
Not have disclosed the vulnerability to third parties prior to receiving permission.
Comply with all program rules and applicable laws.
Be of legal age in your jurisdiction and not reside in a country under sanctions or restrictions, as required by applicable laws.

KYC is required before any reward is paid. Cantina will invoice the client and, once payment is received, process the payout to the researcher and manage the necessary KYC requirements.

Disclosure Requirements

Please report vulnerabilities directly through the Cantina platform. Each report should include:

A clear description of the vulnerability and its impact.
Steps to reproduce the issue (proof of concept preferred).
The conditions under which the issue occurs.
The potential implications if exploited.

Reports should be made as soon as possible, ideally within 24 hours of discovery.

Other Terms

By submitting a report, you grant 3F Labs the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of 3F Labs. The terms, conditions, and scope of this program may be revised at any time; participants are responsible for reviewing the latest version before submitting a report.