mStable
Submit a BugProgram Overview
Released in May 2020, mStable is a protocol that unites stablecoins, lending and swapping into one robust and easy to use standard. Three major problems confront stablecoin users: significant fragmentation in same-peg assets; lack of native yield when it is being increasingly demanded by users; lack of insurance against permanent capital loss. mStable’s products (SWAP, SAVE and EARN) are built specifically to address these pain-points.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Payouts are handled by mStable directly and are denominated in USD. Payouts are made in mUSD.
Smart Contract
- Critical
- Level
- USD $50,000
- Payout
- High
- Level
- USD $8,000
- Payout
- Medium
- Level
- USD $4,000
- Payout
- Low
- Level
- USD $1,250
- Payout
- Informational
- Level
- USD $0
- Payout
Assets in scope
- Smart Contract - StakedTokenMTA: Vault that stakes MTAType
- Smart Contract - StakedTokenBPT: Vault that stakes the MTA/ETH 80/20 Balancer Pool Token (BPT).Type
- Smart Contract - Masset: mUSDType
- Smart Contract - SavingsContract: mUSD Savings ContractType
- Smart Contract - Masset: mBTCType
- Smart Contract - SavingsContract: imBTCType
- Smart Contract - FeederLogic: Library contract for Feeder PoolsType
- Smart Contract - FeederManager: Library contract for Feeder PoolsType
- Smart Contract - MassetManager: Manager contract for mAssetsType
- Smart Contract - SavingsManager: Validates and distributes system revenue to saversType
- Smart Contract - InvariantValidator: Builds on and enforces the StableSwap invariantType
- Smart Contract - BoostedSavingsVault: Savings VaultType
- Smart Contract - FeederPool: BUSD Feeder PoolType
- Smart Contract - FeederPool: GUSD Feeder PoolType
- Smart Contract - FeederPool: HBTC Feeder PoolType
- Smart Contract - FeederPool: TBTC Feeder PoolType
- Smart Contract - FeederPool: alUSD Feeder PoolType
- Smart Contract - Liquidator: LiquidatorType
- Smart Contract - QuestManager: Quest Manager that can add, complete and expire questsType
- Smart Contract - BoostedSavingsVault: GUSD Feeder Pool VaultType
- Smart Contract - BoostedSavingsVault: HBTC Feeder Pool VaultType
- Smart Contract - BoostedSavingsVault: TBTC Feeder Pool VaultType
- Smart Contract - SaveWrapper: Facilitates minting, deposits and staking of massets (mUSD and mBTC)Type
- Smart Contract - BoostDirector: Supports the directing of staked Meta (vMTA) balances to boosted vaults.Type
- Smart Contract - Nexus: Resolves module addressesType
- Smart Contract - RewardsDistributor: Distributes MTA rewards to vaultsType
- Smart Contract - DelayedProxyAdmin: Administors proxy contracts with a one week time delayType
- Smart Contract - SignatureVerifier: Used to verify quest completions signaturesType
- Smart Contract - PAaveIntegration: mUSD Aave V2 integrationType
- Smart Contract - CompoundIntegration: mUSD Compound IntegrationType
- Smart Contract - BoostedSavingsVault: imBTC VaultType
- Smart Contract - CompoundIntegration: BUSD FP Iron Bank Integration for mBTCType
- Smart Contract - BoostedSavingsVault: BUSD Feeder Pool VaultType
- Smart Contract - CompoundIntegration: GUSD FP Iron Bank Integration for mBTCType
- Smart Contract - BoostedSavingsVault: alUSD Feeder Pool VaultType
- Smart Contract - InterestValidator: Collects interest and gov fees from Feeder PoolsType
- Smart Contract - RevenueRecipient: Receives governance fees and deposits to Balancer poolType
- Smart Contract - AlchemixIntegration: alUSD FP integration to Alchemix's alUSD staking poolType
- Smart Contract - Masset: mUSDType
- Smart Contract - MassetManager: Library contract for mUSDType
- Smart Contract - MassetLogic: Library contract for mUSDType
- Smart Contract - SavingsContract: imUSDType
- Smart Contract - FeederPool: FRAX Feeder PoolType
- Smart Contract - SavingsManager: Validates and distributes system revenue to saversType
- Smart Contract - Pliquidator: Liquidates wmatic rewards or USDCType
- Smart Contract - Masset: imUSD VaultType
- Smart Contract - DelayedProxyAdmin: Time delayed proxy adminType
- Smart Contract - PAaveIntegration: Aave integration contractType
- Smart Contract - InterestValidator: Validates the platform interest collection from the Feeder PoolsType
- Smart Contract - SaveWrapper: Facilitates minting, deposits and staking of massets (mUSD and mBTC)Type
- Smart Contract - Nexus: Resolves module addressesType
- Smart Contract - RewardsDistributor: Distributes MTA rewards to vaultsType
- Smart Contract - Basic Rewards ForwarderType
- TargetSmart Contract - Bridge ForwarderType
- https://github.com/mstable/mStable-contracts/blob/master/contracts/emissions/EmissionsController.solTargetSmart Contract - Emissions ControllerType
- TargetSmart Contract - L2 Bridge RecipientType
- Smart Contract - L2 Emissions ControllerType
Any Proxy contracts listed in the Assets in Scope table also include the currently active logic contracts, and any external or internal libraries that are used in these.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Any governance voting result manipulationCriticalImpact
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Theft of unclaimed yieldHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Temporary freezing of fundsHighImpact
- Smart contract unable to operate due to lack of token fundsMediumImpact
- Block stuffing for profitMediumImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Theft of gasMediumImpact
- Unbounded gas consumptionMediumImpact
- Contract fails to deliver promised returns, but doesn't lose valueLowImpact
Out of Scope & Rules
The following Immunefi Commonly Excluded Vulnerabilities are excluded from the mStable bug bounty program.
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty