Aurigami Bug Bounties

Program Overview

Aurigami is a decentralised, non-custodial liquidity protocol. The protocol enables users to effortlessly lend, borrow, and earn interest with their digital assets. Depositors provide liquidity to the protocol to earn a passive income, while borrowers are able to borrow in an over-collateralised fashion.

For more information about Aurigami, please visit https://www.aurigami.finance/.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

All smart contracts bug reports must come with a reproducible simulation PoC using either Hardhat or Foundry to be considered for a reward. Explanations and statements are not accepted as PoC and code is required. However, in case no PoC can be created yet there are strong reasons to believe an exploit can take place, the team will still award the whitehat.

All web/app bug reports must come with a PoC with an end-effect impacting an asset-in-scope in order to be considered for a reward. Explanations and statements are not accepted as PoC and code is required.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.

All vulnerabilities marked in https://github.com/Aurigami-Finance/aurigami-smart-contracts/tree/main/docs are not eligible for a reward.

Payouts are handled by the Aurigami team directly and are denominated in USD. However, payouts are done in USDC and PLY, up to 80% of the rewards can be paid in PLY.

Smart Contract

Critical
Level: Up to USD $500,000
Payout

High
Level: USD $20,000
Payout

Medium
Level: USD $5,000
Payout

Websites and Applications

Critical
Level: USD $10,000
Payout

High
Level: USD $5,000
Payout

Medium
Level: USD $1,000
Payout

Assets in scope

https://aurorascan.dev/address/0x817af6cfAF35BdC1A634d6cC94eE9e4c68369Aeb
Target
Smart Contract - Unitroller
Type
https://aurorascan.dev/address/0x0Bc03bd8d4aF1e8bab2194860268F5774C9d400a
Target
Smart Contract - JumpRateModel
Type
https://aurorascan.dev/address/0xC6e5185438e1730959c1eF3551059A3feC744E90
Target
Smart Contract - AuriOracle
Type
https://aurorascan.dev/address/0x4f0d864b1ABf4B701799a0b30b57A22dFEB5917b
Target
Smart Contract - auUSDC - AuErc20
Type
https://aurorascan.dev/address/0xca9511B610bA5fc7E311FDeF9cE16050eE4449E9
Target
Smart Contract - auETH - AuETH
Type
https://aurorascan.dev/address/0xCFb6b0498cb7555e7e21502E0F449bf28760Adbb
Target
Smart Contract - auWBTC - AuErc20
Type
https://aurorascan.dev/address/0xaD5A2437Ff55ed7A8Cad3b797b3eC7c5a19B1c54
Target
Smart Contract - auUSDT - AuErc20
Type
https://aurorascan.dev/address/0xaE4fac24dCdAE0132C6d04f564dCf059616E9423
Target
Smart Contract - auWNEAR - AuErc20
Type
https://aurorascan.dev/address/0x3195949f267702723bc614cAE037cdc8D1E94786
Target
Smart Contract - auSTNEAR - AuErc20
Type
https://aurorascan.dev/address/0x8888682E24dd4Df7B7Ff2B91fccB575737E433bf
Target
Smart Contract - auAURORA - AuErc20
Type
https://aurorascan.dev/address/0x6Ea6C03061bDdCE23d4Ec60B6E6e880c33d24dca
Target
Smart Contract - auTRI - AuErc20
Type
https://aurorascan.dev/address/0xC9011e629c9d0b8B1e4A2091e123fBB87B3A792c
Target
Smart Contract - auPLY - AuErc20
Type
https://aurorascan.dev/address/0xC9A848AC73e378516B16E4EeBBa5ef6aFbC0BBc2
Target
Smart Contract - FairLaunch
Type
https://aurorascan.dev/address/0x04Ac48711BCdc45b4d223fb021E09DA73c71095e
Target
Smart Contract - PULP
Type
https://app.aurigami.finance/
Target
Websites and Applications - Main Web App
Type

All smart contracts of Aurigami can be found at https://github.com/Aurigami-Finance. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

If an impact can be caused to any other asset managed by Aurigami that isn’t on this table but for which the impact is in the Impacts in Scope section below, you are encouraged to submit it for the consideration by the project.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Critical
Impact
Permanent freezing of funds
Critical
Impact
Protocol Insolvency
Critical
Impact
Theft of unclaimed yield
High
Impact
Permanent freezing of unclaimed yield
High
Impact
Temporary freezing of funds for at least 24 hours
High
Impact
Critical actions that can't be executed due to NEAR gas limit
High
Impact
Smart contract unable to operate due to lack of token funds
Medium
Impact
Block stuffing for profit
Medium
Impact
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Medium
Impact

Websites and Applications

Execute arbitrary system commands
Critical
Impact
Retrieve sensitive data/files from a running server such as /etc/shadow, database passwords, and blockchain keys(this does not include non-sensitive environment variables, open source code, or usernames)
Critical
Impact
Taking state-modifying authenticated actions (with or without blockchain state interaction) on behalf of other users without any interaction by that user, such as, changing registration information, commenting, voting, making trades, withdrawals, etc.
Critical
Impact
Subdomain takeover with already-connected wallet interaction
Critical
Impact
Direct theft of user funds
Critical
Impact
Malicious interactions with an already-connected wallet such as modifying transaction arguments or parameters, substituting contract addresses, submitting malicious transactions
Critical
Impact
Injecting/modifying the static content on the target application without Javascript (Persistent) such as HTML injection without Javascript, replacing existing text with arbitrary text, arbitrary file uploads, etc.
High
Impact
Changing sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as email or password of the victim, etc.
High
Impact
Improperly disclosing confidential user information such as email address, phone number, physical address, etc.
High
Impact
Subdomain takeover without already-connected wallet interaction
High
Impact
Changing non-sensitive details of other users (including modifying browser local storage) without already-connected wallet interaction and with up to one click of user interaction, such as changing the first/last name of user, or en/disabling notification
Medium
Impact
Taking down the application/website
Medium
Impact
Injecting/modifying the static content on the target application without Javascript (Reflected) such as reflected HTML injection or loading external site data
Medium
Impact
Redirecting users to malicious websites (Open Redirect)
Medium
Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

Attacks that the reporter has already exploited themselves, leading to damage
Attacks requiring access to leaked keys/credentials
Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
Basic economic governance attacks (e.g. 51% attack)
Lack of liquidity
Best practice critiques
Sybil attacks
Centralization risks
ERC-777 related risk

Websites and Apps

Theoretical vulnerabilities without any proof or demonstration
Attacks requiring physical access to the victim device
Attacks requiring access to the local network of the victim
Reflected plain text injection ex: url parameters, path, etc.
- This does not exclude reflected HTML injection with or without javascript
- This does not exclude persistent plain text injection
Self-XSS
Captcha bypass using OCR without impact demonstration
CSRF with no state modifying security impact (ex: logout CSRF)
Missing HTTP Security Headers (such as X-FRAME-OPTIONS) or cookie security flags (such as “httponly”) without demonstration of impact
Server-side non-confidential information disclosure such as IPs, server names, and most stack traces
Vulnerabilities used only to enumerate or confirm the existence of users or tenants
Vulnerabilities requiring un-prompted, in-app user actions that are not part of the normal app workflows
Lack of SSL/TLS best practices
DDoS vulnerabilities
Feature requests
Issues related to the frontend without concrete impact and PoC
Best practices issues without concrete impact and PoC
Vulnerabilities primarily caused by browser/plugin defects
Leakage of non sensitive api keys ex: etherscan, Infura, Alchemy, etc.
Any vulnerability exploit requiring browser bugs for exploitation. ex: CSP bypass
Clickjacking

The following activities are prohibited by this bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty