Pendle Finance / Pendle Bounty
Pendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.
Further resources regarding the Pendle can be found at pendle.finance
The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.
Contracts in Scope
Network: Mainnet Ethereum
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | vePendle |
| Explorer Link | senderEndpoint |
| Explorer Link | votingController |
| Explorer Link | gaugeController |
| Explorer Link | feeDistributorV2 |
Network: Arbitrum
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
| Explorer Link | arbMerkleDistribution |
Network: Optimism
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
Network: Binance Smart Chain
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
Network: Mantle
| Target URL | Type |
|---|---|
| Explorer Link | router |
| Explorer Link | ActionAddRemoveLiqV3 |
| Explorer Link | ActionSwapPTV3 |
| Explorer Link | ActionSwapYTV3 |
| Explorer Link | ActionMiscV3 |
| Explorer Link | ActionCallbackV3 |
| Explorer Link | ActionStorageV4 |
| Explorer Link | pendleSwap |
| Explorer Link | ptAndLpOracle |
| Explorer Link | yieldContractFactoryV3 |
| Explorer Link | marketFactoryV3 |
| Explorer Link | limitRouter |
| Explorer Link | receiverEndpoint |
| Explorer Link | vePendle |
| Explorer Link | gaugeController |
Additional scope:
All StandardizedYieldToken, PendlePrincipalToken, PendleYieldToken, PendleYieldTokenV2, and PendleMarket contracts of assets listed under the links below are in scope. Note that each asset will have a different SY but the same PT, YT, and Market.
Award Levels
Rewards are capped at 10% of economic impact.
- Very Critical: Up to $2,000,000 USD, minimum payout $200,000 USD
- Critical: Up to $1,000,000 USD, minimum payout $100,000 USD
- High: Up to $100,000 USD, minimum payout $20,000 USD
- Medium: Up to $20,000 USD
- Below Medium: To be awarded at the discretion of Pendle Finance
Severity Definitions
For manipulation that can steal/freeze users' funds (excluding unclaimed yield)
| Likelihood/Impact | >10% TVL | 1-10% TVL | < 1% TVL |
|---|---|---|---|
| High | Very Critical | Critical | High or Critical |
| Medium | Critical | High or Critical | High |
| Low | High or Critical | High | Medium |
For other manipulation
The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.
| Likelihood/Impact | Significant | Moderate | Minimal |
|---|---|---|---|
| High | High or Critical | High | Medium |
| Medium | High | Medium | Below Medium |
| Low | Medium | Below Medium | Below Medium |
Out of Scope (all repositories)
If an issue is discovered and is not from the files listed as In Scope above, security researchers are encouraged to report the finding. Awards for out of scope issues to be determined at the discretion of Pendle Finance.
The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.
Known Public Issues
Known issues from previous security reviews are considered out of scope.
- pendle-core-v2-public/audits are considered as out-of-scope.
Known but not Public Issues
Are considered out of scope.
Specific Types of Issues
- Informational findings.
- Design choices related to protocol
- Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to
address(0). - Rounding errors.
- Relatively high gas consumption.
- Extreme market turmoil vulnerability.
Prohibited Actions
- Live testing on public chains, including public mainnet deployments and public testnet deployments.
- We recommend testing on local forks, for example using foundry.
- Public disclosure of bugs without the consent of the protocol team.
- Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.
Summary
Status
LiveTotal reward:
$2,000,000 USDC
Start date:
14 Jun 2024 12:00pm (local time)