Folks Finance is a leading DeFi platform providing innovative tools for lending, borrowing, trading and managing digital assets, all in one place.
Live
Runnable PoC Required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Build Commands, Test Commands, and How to Run Them See https://github.com/Folks-Finance/folks-staking-contracts?tab=readme-ov-file#usage.
Asset Accuracy Assurance Bugs found on assets incorrectly listed in-scope are valid.
Code Freeze Assurance Code of the assets in scope is frozen while the program is live.
Duplicate submissions of bugs are valid. Duplicate submissions of Insights are invalid.
The project commits to keeping private all info related to bug findings until this program is over. This means the project will not leak info about any bug findings or planned bug fixes, including bug findings found independently by the project or from concurrent private audits.
Public Disclosure of Known Issues
These aren’t necessarily “issues”, some are design decisions and tradeoffs:
- Not checking zero address
- StakeParams slippage is one directional by design
- User will have to use new account if they reach staking limit
- Not deleting “UserStake” state after everything has been withdrawn
- Not deleting “StakingPeriod” state after deactivating
- Updates to a “StakingPeriod” only impact new stakes by design
- We allow stake with 0 rewards
- We allow withdrawal of 0 amount
- We intentionally don’t allow a partial stake amount if the entire amount would cause cap to be exceed
- Operational risk of migration
- MIGRATOR_ROLE persists for user after migration
- State “migrationPermits” may contain migrator which had its MIGRATOR_ROLE later revoked
- After migration, the indexes of the “userStakes” are shuffled. This could lead to a user referencing an outdated index.
- Paused contract only prevents new stakes
- “UserStake.aprBps” is for informational purposes
- The function “stakeWithPermit” silently ignores permit failure
- Reward and accrual calculations round down
- Intentional to not decrease “capUsed” on withdrawal / migration
- Staking contract designed for ERC20 which doesn't have any fee on transfer or rebasing logic
Private Known Issues Reward Policy
Private known issues, meaning known issues that were not publicly disclosed, are valid for a reward.
Where might Security Researchers confuse out-of-scope code to be in-scope?
The MigratorV1 contract is out of scope - it’s included for testing. In addition, the potential new version of the Staking which we would migrate to, is also out of scope.
Where do you suspect there may be bugs and/or what attack vectors are you most concerned about?
An attacker being able to manipulate their rewards/stake in order to steal FOLKS from other stakers. Flows to look at should include migration.
What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported?
ERC20 which doesn’t have any fee on transfer or rebasing logic.
What emergency actions may you want to use as a reason to downgrade an otherwise valid bug report?
Ability to pause contract with PAUSER_ROLE and migrate to new Staking contract with MIGRATOR_ROLE.
What addresses would you consider any bug report requiring their involvement to be out of scope, as long as they operate within the privileges attributed to them?
Default admin, manager, pauser, migrator.
Which chains and/or networks will the code in scope be deployed to?
BNB Chain
What external dependencies are there?
FOLKS Token https://bscscan.com/address/0xFF7F8F301F7A706E3CfD3D2275f5dc0b9EE8009B
Are there any unusual points about your protocol that may confuse Security Researchers?
When the staking period ends, both principal and reward unlock linearly over a separate unlock duration, allowing partial withdrawals at any point.
What are the most valuable educational resources already available? (Ie. Documentation, Explainer videos or articles, etc)
https://github.com/Folks-Finance/folks-staking-contracts?tab=readme-ov-file#staking-contract
Permanent freezing of funds
Protocol insolvency
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Temporary freezing of funds for at least 24 hour
Smart contract unable to operate due to lack of token funds
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Unbounded gas consumption
Temporary freezing of funds for at least 1 hour
Contract fails to deliver promised returns, but doesn't lose value
Security best practices
Out of scope
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers