Pendle Bounty

Pendle Bounty

@pendle-finance
Live

Total reward

$2,000,000

Findings submitted

41

Start date

14 Jun 2024

Please sign in as a researcher to join the bounty.

Log in
Instructions

Pendle is the first protocol that enables the trading of tokenized future yield on an AMM system. The project aims to give holders of yield-generating assets the opportunity to generate additional yield and to lock in future yield upfront, while offering traders direct exposure to future yield streams, without the need for an underlying collateral.

Further resources regarding the Pendle can be found at pendle.finance

The bug bounty program is focused around its smart contracts and is mostly concerned with the loss of user funds.

Contracts in Scope

The following table contains the address of Pendle V2 system contracts across all chains that Pendle V2 was deployed.

TypeEthereumOptimismSonicArbitrumBSCMantleBaseBeraHyperEVM
pyYtLpOraclelinklinklinklinklinklinklinklinklink
routerlinklinklinklinklinklinklinklinklink
routerFacets.ActionAddRemoveLiqV3linklinklinklinklinklinklinklinklink
routerFacets.ActionCallbackV3linklinklinklinklinklinklinklinklink
routerFacets.ActionMiscV3linklinklinklinklinklinklinklinklink
routerFacets.ActionSimplelinklinklinklinklinklinklinklinklink
routerFacets.ActionStorageV4linklinklinklinklinklinklinklinklink
routerFacets.ActionSwapPTV3linklinklinklinklinklinklinklinklink
routerFacets.ActionSwapYTV3linklinklinklinklinklinklinklinklink
limitRouterlinklinklinklinklinklinklinklinklink
reflectorlinklinklinklinklinklinklinklinklink
pendleSwaplinklinklinklinklinklinklinklinklink
receiverEndpointN/Alinklinklinklinklinklinklinklink
senderEndpointlinkN/AN/AN/AN/AN/AN/AN/AN/A
vePendlelinklinklinklinklinklinklinklinklink
votingControllerlinkN/AN/AN/AN/AN/AN/AN/AN/A
marketFactoryV5linklinklinklinklinklinklinklinklink
yieldContractFactoryV5linklinklinklinklinklinklinklinklink
gaugeControllerlinklinklinklinklinklinklinklinklink
feeDistributorV2linkN/AN/AN/AN/AN/AN/AN/AN/A
vePendleAirdropDistributorlinklinklinklinklinklinklinklinklink
externalRewardsDistributorlinklinklinklinklinklinklinklinklink
decimalsFactorylinklinklinklinklinklinklinklinklink
lpWrapperFactorylinklinklinklinklinklinklinklinklink

Additionally, markets that are whitelisted on Pendle V2 platform is also considered in scope.

  • This includes StandardizedYieldToken (SY), PendlePrincipalToken (PT), PendleYieldToken (YT), PendleYieldTokenV2 (YTv2) and PendleMarket (Market).

  • Please note that each asset will have a different SY but the same PT, YT (or YTv2), and Market.

  • The list of currently active and inactive markets can be obtained using the following endpoints from our Backend:

  • SY contracts that are not deployed and audited by Pendle Team will NOT be considered.

    image.png

  • The underlying contracts that SY and Market based on are considered out of scope.

Award Levels

LevelVery CriticalCriticalHighMediumLow
Max2,000,000 USD1,000,000 USD100,000 USD20,000 USDTo be awarded at the discretion of Pendle Finance
Min200,000 USD100,000 USD10,000 USD

Rewards are capped at 10% of economic impact.

Detailed Reward calculation

  • For very critical/critical/high smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of 2,000,000 USD/1,000,000 USD/100,000 USD respectively.
  • The calculation of the amount of funds at risk is based on the time and date the bug report is submitted.
  • However, a minimum reward of 200,000 USD/100,000 USD/10,000 USD is to be rewarded in order to incentivize security researchers against withholding a bug report.

Cross-Market Limitations

  • If multiple markets whitelisted on Pendle can be exploited with the same vulnerability, the fund at risk is the combined sum of the fund that can be stolen across those markets.

Repeatable Attack Limitations

  • For smart contracts where the vulnerability exists can be upgraded or paused, only the stolen funds from the first attack is considered the fund at risk.
  • For smart contracts where the vulnerability exists can NOT be upgraded or paused, the fund at risk of each attack will be calculated as follows:
    • 100% funds that could be stolen from the first attack.
    • max(0, 100% - 25% * ⌈t⌉) funds that could be stolen from the subsequent attack, where t is the time from the first attack, in hour (25% funds reduction by hour).
  • If the attack has cross-chain impact:
    • Among all of the sent transactions across all chain supported by Pendle, the transaction with the lowest block time is consider the first attack.
  • Claimable-yields (interests and rewards) that can be stolen by the attacks are also considered fund at risks.

Feasibility Limitations

  • Bug reports about an attack that focuses only on the underlying protocol of one of the markets whitelisted on Pendle V2, without any exploits on Pendle V2’s contracts, will NOT be considered for this bug bounty program.
    • Even though Pendle V2 users can lose their fund when interacting with Pendle V2, the reason was the exploitation on the underlying protocol, forcing incompatibility with the Pendle V2 system.
  • Bug reports that require an attack that involve one or more other protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX), either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible, would be downgrade by one severity level.
    • However, they will be considered as in-scope and categorized according to the program rules as long as all of the following are true:
      • Losses or other negative effects of the attack are inflicted upon Pendle V2 users.
      • The additional protocols used must have enough liquidity in various assets to allow the attack to succeed at the time of bug report submission. For example: if an attack requires an ETH flash loan, but the amount is larger than all the ETH available for loan across the ecosystem

Severity levels

For manipulation that can steal/freeze users' funds

Likelihood/Impact>10% TVL1-10% TVL< 1% TVL
HighVery CriticalCriticalHigh or Critical
MediumCriticalHigh or CriticalHigh
LowHigh or CriticalHighMedium

For other manipulation

The Pendle team will exercise its discretion, together with the Cantina team, to judge the severity with the aim of awarding fairly to security researchers.

Likelihood/ImpactSignificantModerateMinimal
HighHigh or CriticalHighMedium
MediumHighMediumLow
LowMediumLowLow

Out of Scope (all repositories)

If an issue is discovered and is not from the files listed as In Scope above, security researchers are encouraged to report the finding. Awards for out of scope issues to be determined at the discretion of Pendle Finance.

The Pendle team will be very flexible in assessing all submissions, with the goal of prioritizing the security of the protocol.

Known Public Issues

Known issues from previous security reviews are considered out of scope.

Known but not Public Issues

Are considered out of scope.

Specific Types of Issues

  • Informational findings.
  • Design choices related to protocol
  • Issues that are ultimately user errors and can easily be caught in the frontend. For example, transfers to address(0).
  • Rounding errors.
  • Relatively high gas consumption.
  • Extreme market turmoil vulnerability.

Prohibited Actions

  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Public disclosure of bugs without the consent of the protocol team.
  • Conflict of Interest: any employee or contractor working with Project Entity cannot participate in the Bug Bounty.