Audit Comp | Lombard

Proof of Concept (PoC) Requirements

A PoC, demonstrating the bug's impact, is required for this program and has to comply with the Immunefi PoC Guidelines and Rules.

Whitehat Educational Resources & Technical Info

https://docs.lombard.finance/

What ERC20 / ERC721 / ERC777 / ERC1155 token standards are supported? Which are not?

ERC-20, ERC-20 Permit

What emergency actions may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

If the Ethereum mainnet contract is Paused or upgraded from the audit competition version.

What monitoring systems may you want to use as a reason to invalidate or downgrade an otherwise valid bug report?

We use https://www.hexagate.com/ for contracts monitoring.

What addresses are considered out of scope for bug reports requiring their involvement, regardless of whether they operate within or exceed their attributed privileges?

All admin and operational roles are out of scope

Which chains and/or networks will the code in scope be deployed to?

Ethereum, Base, BSC

Is this an upgrade of an existing system? If so, which? And what are the main differences?

It's an upgrade and extension of the contracts deployed here: https://etherscan.io/address/0x4cbd8802465f690e7637454783955fa8e6d0c4bc#code https://etherscan.io/address/0x67927d7ea19f9a1053f4f5bbdf827ed9870f1a1b#code The main difference is upgraded and extended logic(for example TSS was replaced with multisig), and also new contracts which provide new functionality to the Lombard stack(like integration with Chaiblink bridge and Layerzero, previous contract also had bridge functions but it never was used and was moved to separate contract). Also, there is new logic and a new contract for improved user experience (mintWithFee)

Where do you suspect there may be bugs? We are most concerned about stealing or loss of funds. We would most like security researchers to break our 1:1 peg with bitcoin by contract exploits, and to focus on how to steal funds from another user through the contracts provided. We are most concerned about re-entrancy attacks and malicious payload injections as attack vectors. Different ways that allow double claiming of deposits.

What external dependencies are there? We rely on OpenZeppelin contracts for a lot of boilerplate Solidity code (https://github.com/OpenZeppelin/openzeppelin-contracts and https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable). On top of this, we depend on Chainlink and LayerZero code for bridging (https://github.com/Cyfrin/ccip-contracts and https://github.com/LayerZero-Labs/LayerZero-v2/tree/main/packages/layerzero-v2/evm).

Where might Security Researchers confuse out-of-scope code to be in-scope? All admin/operator functions are out of scope, and all notarization systems(lombard/chainlink/LayerZero) are out of scope. For upgradable contracts, all bugs that can be fixed by upgrade and do not bring financial damage are counted as low severity.

Are there any unusual points about your protocol that may confuse Security Researchers? We use complex bridging code and extend base functionality for given contracts in this regard, which takes a bit of back and forth reading to understand. In this case, specifically, there will be some logic that will be activated given a setting about enabling attestations; in a mainnet scenario, we should always assume that attestations are enabled. We have a complex notarization system with different validators, so there is no centralization.