Superlend / Superfund bounty

SuperFund optimally allocates your USDC across trusted blue-chip lending protocols such as Aave, Morpho, Euler, & Fluid to generate consistent and competitive returns. It is a low-risk, high-reliability investment vault designed for users looking to maximize yield on their stable coins in a safe and efficient way.

Scope

In-Scope Targets:

Repository: https://github.com/Superlend/superfund-strategies-public
Commit: 61c7d7c7a8fa3b28c8957515f464026710e63a03
Total LOC: ~700
Files:

Out-of-Scope Targets:

Previous security reports:
- Audit report
Expected behavior:
- The owner role is expected to be able to upgrade the smart contract through Proxy admin

Documentation

README.md
The codebase contains comments for each of the functions and interactions

Prohibited Actions

No Live Testing on Public Chains: Explicitly prohibit live testing on public chains to prevent unintended disruptions.
No Public Disclosure of Bugs: Reinforce the importance of confidentiality and prohibit the public disclosure of vulnerabilities before they are addressed.
Conflict of Interest: Clarify any potential conflicts of interest that should be avoided.

Disclosure Requirements

Report must include:

A clear description of the vulnerability and its impact.
Steps to reproduce the issue, ideally with a proof of concept.
Details on the conditions under which the issue occurs.
Potential implications if the vulnerability were exploited.

Reports should be made as soon as possible—ideally within 24 hours of discovery.

Eligibility

To be eligible for a reward, you must:

Be the first to report a previously unknown, non-public vulnerability within the defined scope.
Provide sufficient information to reproduce and fix the vulnerability.
Not have exploited the vulnerability in any malicious manner.
Not have disclosed the vulnerability to third parties before receiving permission.
Comply with all Program rules and applicable laws.

You must also be of legal age in your jurisdiction and not be a resident in a country under sanctions or restrictions, as required by applicable laws.

Severity and Rewards

Vulnerabilities are classified using two factors: Impact and Likelihood. The combination of these factors determines the severity and guides the reward amount.

Severity Level	Impact: High	Impact: Medium	Impact: Low
Likelihood: High	Critical	High	Medium
Likelihood: Medium	High	Medium	Low
Likelihood: Low	Medium	Low	-

Impact Definitions:

Critical:
- Manipulation of governance voting result deviating from voted outcome and resulting in a direct change from intended effect of original results
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
- Permanent freezing of funds
- Protocol insolvency
High:
- Theft of unclaimed yield
- Permanent freezing of unclaimed yield
- Temporary freezing of funds for more than 1 week
Medium:
- Smart contract unable to operate due to lack of token funds
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
- Unbounded gas consumption
Low:
- Contract functions affected but does not result in loss of fund or impact severely

Likelihood Definitions:

High: Very easy to exploit or highly incentivized.
Medium: Exploitation is possible under certain conditions.
Low: Difficult to exploit or requires highly specific conditions.

Payout Guidelines

Risk Score	Payout Range
Critical	Up to $15,000
High	Up to $10,000
Medium	Up to $2,000

Note: Actual reward amounts are determined at Superlend’s sole discretion. Factors influencing payout include quality of report, completeness, and the severity and exploitability of the vulnerability.

Other Terms

By submitting a report, you grant Superlend the rights necessary to investigate, mitigate, and disclose the vulnerability. Reward decisions and eligibility are at the sole discretion of Superlend. The terms, conditions, and scope of this Program may be revised at any time. All participants are responsible for reviewing the latest version before submitting a report.