Audit Comp | Firelight

Build Commands, Test Commands, and How to Run Them

Installation: git clone https://github.com/firelight-protocol/firelight-core.git cd firelight-core npm install Create your .env file using .env.sample as a reference.

Run tests: npx hardhat test

Optional: For faster test execution, comment out the forking configuration on line 29 of hardhat.config.js.

Asset Accuracy Assurance

Bugs found on assets incorrectly listed in-scope are valid.

Code Freeze Assurance

Code of the assets in scope is frozen while the program is live.

Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.

The project commits to keeping all info related to bug findings private until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.

Previous Audits

Firelight’s completed audit reports can be found at https://firelight.finance/audit.pdf. Unfixed vulnerabilities mentioned in these reports are not eligible for a reward.

Public Disclosure of Known Issues

Bug reports for publicly disclosed bugs are not eligible for a reward.

Inflation attack: This is a known issue with ERC-4626 described at https://docs.openzeppelin.com/contracts/5.x/erc4626#security-concern-inflation-attack We'll take care of this at the time of deployment.

Private Known Issues Reward Policy

Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.

Where might Security Researchers confuse out-of-scope code to be in-scope? There should be no confusion. Only one smart contract and its storage contract are in scope.

Is this an upgrade of an existing system? If so, which? And what are the main differences?

No, this is not an upgrade of an existing system and will be a first-time deployment.

Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?

Overall security and correctness are especially important.

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?

The vault is ERC-4626 compliant and holds/transfers ERC-20 tokens. No ERC-721, ERC-777, or ERC-1155 tokens are supported.

What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?

None. We do not use emergency actions as a basis to downgrade severity.

What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?

The role-based administrative addresses are considered trusted.These roles are intentionally authorized to modify configurations or perform emergency actions. Their intended permissions are not considered vulnerabilities. This includes: DEPOSIT_LIMIT_UPDATE_ROLE, RESCUER_ROLE, BLOCKLIST_ROLE, PAUSE_ROLE, PERIOD_CONFIGURATION_UPDATE_ROLE

What addresses would you consider any bug report requiring their involvement be out of scope, even if they exceed the privileges attributed to them? None.

Which chains and/or networks will the code in scope be deployed to?

Flare Network. https://flare-explorer.flare.network/

What external dependencies are there? There are no external dependencies. The system does not rely on oracles, price feeds, or external protocol integrations.

Are there any unusual points about your protocol that may confuse Security Researchers?

We do not think so. The time-based period configuration may be slightly unusual, but the implementation is straightforward and self-explanatory in the code.

What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)

https://github.com/firelight-protocol/firelight-core/blob/main/README.md