Angle Protocol Bug Bounties

Program Overview

Angle is a decentralized, capital efficient and over-collateralized stablecoin protocol composed of smart contracts running on open blockchains.

It can be used to issue stablecoins, called agTokens, designed to mirror the value of an asset they are pegged to.

The protocol consists of several different modules, or sets of smart contracts, from which stablecoins can be issued or minted. While Angle launched its first stablecoin agEUR with a single minting module (the Core module - that was wound down in May 2023), a Borrowing module allowing to borrow Angle stablecoins against deposited collateral and a price stability module called Transmuter have then been introduced.

The protocol is also engaged into Direct Deposit Modules, also called Algorithmic Market Operations (AMOs), allowing it to boostrap liquidity for agTokens in other protocols.

For more information about Angle Protocol, please visit https://www.angle.money/.

This bug bounty program is focused on their smart contracts and is focused on preventing:

Thefts and freezing of principal of any amount
Thefts and freezing of unclaimed yield of any amount
Theft of governance funds
Governance activity disruption

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All High and Medium Smart Contract bug reports require a PoC to be eligible for a reward.

Vulnerabilities marked as “Acknowledged”, “ Accepted Risk” or “Closed” in the ChainSecurity security review from July 2021, the Sigma Prime security review from July 21, the ChainSecurity security review from December 2021, the ChainSecurity security review from April 22, the Code4rena security review from June 2023 are not eligible for a reward.

Critical-level smart contract vulnerabilities that result in the loss of user funds will have rewards additionally capped at 10% of the funds potentially affected based on the vulnerability that was identified. These rewards are payable in USDC or in ANGLE at the discretion of the team. ANGLE rewards will have a vesting schedule lasting between 6-12 months with a minimum of 6 months for rewards up to USD 200 000, with an additional month added for every USD 50 000 tranche, rounded up. However, there is a minimum of USD 50 000 for Critical bug reports.

Payouts are handled by the Angle Protocol team directly and are denominated in USD. However, payouts are done in ANGLE or USDC, with the choice of the ratio at the discretion of the team.

Smart Contract

Critical
Level: Up to USD $500,000
Payout

High
Level: USD $20,000
Payout

Medium
Level: USD $2,500
Payout

Assets in scope

https://etherscan.io/address/0x1a7e4e63778B4f12a199C062f3eFdD288afCBce8
Target
Smart Contract - AgToken
Type
https://etherscan.io/address/0x31429d1856ad1377a8a0079410b297e1a9e214c2
Target
Smart Contract - ANGLE
Type
https://etherscan.io/address/0x4f91F01cE8ec07c9B1f6a82c18811848254917Ab
Target
Smart Contract - AngleDistributor
Type
https://etherscan.io/address/0xEB7547a8a734b6fdDBB8Ce0C314a9E6485100a3C
Target
Smart Contract - LiquidityGaugeV4
Type
https://etherscan.io/address/0x9aD7e7b0877582E14c17702EecF49018DD6f2367
Target
Smart Contract - GaugeController
Type
https://etherscan.io/address/0x0C462Dbb9EC8cD1630f1728B2CFD2769d09f0dd5
Target
Smart Contract - veANGLE
Type
https://etherscan.io/address/0x4A2FF9bC686A0A23DA13B6194C69939189506F7F
Target
Smart Contract - FlashAngle
Type
https://etherscan.io/address/0x4579709627CA36BCe92f51ac975746f431890930
Target
Smart Contract - AngleRouter
Type
https://etherscan.io/address/0x8667DBEBf68B0BFa6Db54f550f41Be16c4067d60
Target
Smart Contract - Treasury
Type
https://etherscan.io/address/0x5bc6BEf80DA563EBf6Df6D6913513fa9A7ec89BE
Target
Smart Contract - CoreBorrow
Type
https://etherscan.io/address/0x241D7598BD1eb819c0E9dEd456AcB24acA623679
Target
Smart Contract - VaultManager
Type
https://etherscan.io/address/0x0652B4b3D205300f9848f0431296D67cA4397f3b
Target
Smart Contract - VaultManagerListing
Type
https://etherscan.io/address/0xC68421f20bf6f0Eb475F00b9C5484f7D0AC0331e
Target
Smart Contract - BorrowStaker
Type
https://etherscan.io/address/0x885448f5fC6F636901cc0cc92ef7477aE132bAF0
Target
Smart Contract - Oracle Borrow Module
Type
https://etherscan.io/address/0x00253582b2a3FE112feEC532221d9708c64cEFAb
Target
Smart Contract - Transmuter
Type

All smart contracts of Angle Protocol can be found in the following repositories

https://github.com/AngleProtocol/borrow-contracts: for the Borrowing module smart contracts
https://github.com/AngleProtocol/angle-router: for the routing contracts of the protocol
https://github.com/AngleProtocol/angle-transmuter: for the Transmuter smart contracts
https://github.com/AngleProtocol/angle-core: for some of the governance smart contracts

However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Some of the contracts in scope are upgradeable and you’ll see proxies at the given addresses, make sure to look at the corresponding implementation.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Any governance voting result manipulation
Critical
Impact
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Critical
Impact
Permanent freezing of funds
Critical
Impact
Protocol Insolvency
Critical
Impact
Miner-extractable value (MEV)
Critical
Impact
Theft of unclaimed yield
High
Impact
Permanent freezing of unclaimed yield
High
Impact
Temporary freezing of funds
High
Impact
Smart contract unable to operate due to lack of token funds
Medium
Impact
Block stuffing for profit
Medium
Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks

The following activities are prohibited by this bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty