Liquid Driver

Submit a Bug
24 January 2022
Live since
No
KYC required
$120,000
Maximum bounty

Program Overview

LiquidDriver is the first liquidity mining dApp providing liquidity-as-a-service in the Fantom ecosystem.

We aim to bring its users more utility, rewards, and long-term benefits through our native token, LQDR, and ultimately become the leading liquidity-on-demand platform for dApps on the Fantom Opera Mainnet.

For more information about Liquid Driver, please visit https://www.liquiddriver.finance/.

This bug bounty program is focused on their smart contracts and is focused on preventing:

  • Masterchef: 0x6e2ad6527901c9664f016466b8da1357a004db0f

    • Loss of user funds (principal)
    • Gain control of the contract
    • Mint LQDR
  • Masterchef Strategies:

    • Loss of user funds (principal)
    • Gain control of the contract
  • Distributor V1, V2, V3:

    • Steal user rewards
    • Gain control of the contract
    • Manipulate the mathematics (eg. earn more rewards)
  • LinSpirit, LinSpiritManager and LinSpiritStrategy:

    • Gain control of the contract
  • LinSpiritStrategy:

    • Gain control of the contract
    • Loss of user funds (principal)
  • xLQDR:

    • Lock time and vote power manipulation
    • Transfer xLQDR
    • Drain of locked LQDR

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

All Critical Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. All High Smart Contract bug reports require a PoC to be eligible for a reward.

Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 50 000.

All vulnerabilities marked in the Solidity Finance security review are not eligible for a reward.

Payouts are handled by the Liquid Driver team directly and are denominated in USD. However, payouts are done in USDC.

Smart Contract

Critical
Level
Up to USD $120,000
Payout
PoC Required
High
Level
USD $40,000
Payout
PoC Required
Medium
Level
USD $5,000
Payout
Low
Level
USD $1,000
Payout

Assets in scope

All smart contracts of Liquid Driver can be found at https://github.com/LiquidDriver-finance. However, only those in the Assets in Scope table are considered as in-scope of the bug bounty program.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

  • Loss of user funds (principal) (Masterchef: 0x6e2ad6527901c9664f016466b8da1357a004db0f)
    Critical
    Impact
  • Gain control of the contract (Masterchef: 0x6e2ad6527901c9664f016466b8da1357a004db0f)
    Critical
    Impact
  • Mint LQDR (Masterchef: 0x6e2ad6527901c9664f016466b8da1357a004db0f)
    Critical
    Impact
  • Loss of user funds (principal) (Masterchef Strategies)
    Critical
    Impact
  • Gain control of the contract (Masterchef Strategies)
    Critical
    Impact
  • Gain control of the contract (Distributor V1, V2, V3)
    Critical
    Impact
  • Gain control of the contract (LinSpirit, LinSpiritManager and LinSpiritStrategy)
    Critical
    Impact
  • Gain control of the contract(LinSpiritStrategy)
    Critical
    Impact
  • Loss of user funds (principal) (LinSpiritStrategy)
    Critical
    Impact
  • Lock time and vote power manipulation (xLQDR)
    Critical
    Impact
  • Transfer xLQDR (xLQDR)
    Critical
    Impact
  • Drain of locked LQDR (xLQDR)
    Critical
    Impact
  • Steal user rewards (Distributor V1, V2, V3)
    High
    Impact
  • Manipulate the mathematics (eg. earn more rewards) (Distributor V1, V2, V3)
    High
    Impact

Out of Scope & Rules

The following vulnerabilities are excluded from the rewards for this bug bounty program:

  • Attacks that the reporter has already exploited themselves, leading to damage
  • Attacks requiring access to leaked keys/credentials
  • Attacks requiring access to privileged addresses (governance, strategist)

Smart Contracts and Blockchain

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Basic economic governance attacks (e.g. 51% attack)
  • Lack of liquidity
  • Best practice critiques
  • Sybil attacks
  • Centralization risks

The following activities are prohibited by this bug bounty program:

  • Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
  • Any testing with pricing oracles or third party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty