Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.
Live
Triaged by Immunefi
Step-by-step PoC Required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Build Commands, Test Commands, and How to Run Them Follow the setup, build and test commands in the repo README https://github.com/Folks-Finance/algorand-ntt-contracts/blob/main/README.md.
Asset Accuracy Assurance Bugs found on assets incorrectly listed in-scope are valid.
Code Freeze Assurance Code of the assets in scope is frozen while the program is live.
Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.
The project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.
Previous Audits
Folks Finance’s completed audit reports can be found at https://github.com/Folks-Finance/audits/blob/bb69a84b2015280e903ee5b55e2bbbc5b880e54f/Adevar%20-%20Algorand%20Wormhole%20NTT%20-%20October%202025.pdf ]. Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.
Public Disclosure of Known Issues
- Bug reports for publicly disclosed bugs are not eligible for a reward.
- The Algorand Wormhole NTT implementation doesn’t have the exact same behaviour/specification as the EVM/Solana/Sui Wormhole NTT implementation.
- There is no support for the NTT Global Accountant.
- There is no support for “additional payload” in NttManager.
- There is no support for automatic relaying in WormholeTransceiver.
- It is the responsibility of the integrator to prevent overflow risk in TrimmedAmount by setting appropriate decimals.
- It is the responsibility of the integrator to set an appropriate threshold for attestations in the NttManager.
- It is the responsibility of the integrator to set appropriate rate limits in the NttManager.
- It is the responsibility of the integrator to add and manage appropriately the configured Transceivers e.g. consider the foreign reference limitations, opcode costs etc.
- An ASA may have their clawback/freeze set.
- The NttToken, NttTokenNew and NttTokenExisting are provided as reference implementations. A project is able to implement their own concrete INttToken if needed to fit their custom needs.
- In general, Wormhole NTT is a framework so if X behaviour is not supported then integrators are recommended to modify the smart contracts for themselves.
- Opcode optimisation when prioritising clean and readable code.
- Not checking for rekey and close-to
- Some box storage cannot be deleted
- Box MBR funding is implicitly required
- Some box storage costs are not refunded after box deletion
- Block timestamp manipulation by block proposer
Private Known Issues Reward Policy
Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.
Where might Security Researchers confuse out-of-scope code to be in-scope?
Although the smart contract code for all the following is out-of-scope, their impact and how they are used is in scope. Namely, on other chains, the Wormhole NTT implementation. On Algorand, the Wormhole Core smart contract, VaaVerify logic signature and TmplSig logic signature. If the rate limit is exceeded, the transfer is only delayed from completing. This is the intended design as it follows the equivalent EVM implementation.
Is this an upgrade of an existing system? If so, which? And what are the main differences?
It’s an extension to the existing Wormhole NTT framework, adding support for Algorand. The main differences between the Algorand and EVM implementation for Wormhole NTT is the introduction of a generic MessageHandler and a global TransceiverManager.
Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?
Assumptions made about the compiled TEAL code when in reality it does something else. You can view what the Algorand Python compiles into by looking at the build folder generated named “specs/teal”.
Replay attacks where you can receive or execute the same message multiple times.
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?
Algorand Standard Assets (ASAs)
What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?
The integrator has the ability to pause certain functionality in the NttManager and TransceiverManager. A rate limit can be configured for outbound and inbound transfer amounts. Configured Transceivers can be removed and added.
What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?
In the NttManager: default admin, upgradeable admin, ntt manager admin. In the NttTokenNew and NttTokenExisting: default admin, upgradeable admin. In the TransceiverManager: message handler admin. In the WormholeTransceiver: default admin, upgradeable admin, manager.
What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them?
None
Which chains and/or networks will the code in scope be deployed to?
Algorand
What external dependencies are there?
- Algorand smart contract library https://github.com/Folks-Finance/algorand-smart-contract-library.
- The Wormhole NTT implementation on other chains https://github.com/wormhole-foundation/native-token-transfers.
- The Wormhole Core implementation on Algorand https://github.com/wormhole-foundation/wormhole/tree/main/algorand.
Are there any unusual points about your protocol that may confuse Security Researchers?
The external dependency of the Wormhole Core implementation on Algorand https://github.com/wormhole-foundation/wormhole/tree/main/algorand was written a long time ago so uses old outdated standards for Algorand development.
What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)
- Algorand NTT Design - https://docs.google.com/document/d/1eli_csvdUgOrrE75dbtoSZQDxv-zAjZyBo61wyaN7jQ/edit?usp=sharing
- Wormhole NTT explainer video https://youtu.be/Od5cTaxjTiw?si=WtT5MzZvrGMEwMrZ
- Wormhole NTT Docs - https://wormhole.com/docs/products/token-transfers/native-token-transfers/overview/
- Algorand Python Docs - https://algorandfoundation.github.io/puya/
- Algorand Developer Portal - https://dev.algorand.co/
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency
Bypass of rate limiting mechanism
Temporary freezing of funds for at least 24 hour
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Smart contract unable to operate due to lack of token funds
Temporary freezing of funds for at least 1 hour
Contract fails to deliver promised returns, but doesn't lose value
Security best practices
Code Optimizations and Enhancements
Architectural decentralization
Out of scope
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers