mStable

Program Overview

Released in May 2020, mStable is a protocol that unites stablecoins, lending and swapping into one robust and easy to use standard. Three major problems confront stablecoin users: significant fragmentation in same-peg assets; lack of native yield when it is being increasingly demanded by users; lack of insurance against permanent capital loss. mStable’s products (SWAP, SAVE and EARN) are built specifically to address these pain-points.

Verification

Verification of mStable’s bug bounty program on Immunefi is available at https://docs.mstable.org/protocol/security/mstable-bug-bounty

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit. Bounties may be downgraded if the vulnerability has difficult requirements to exploit, such as privileged access or uncommon interactions.

Level
Critical	$50,000
High	$8,000
Medium	$4,000
Low	$1,250
None	$0

Payouts are handled by mStable directly and are denominated in USD. Payouts are made in mUSD.

Assets in Scope

• https://github.com/mstable/mStable-contracts/tree/master
• https://github.com/mstable/mStable-contracts/tree/master-v2
• https://docs.mstable.org/developers/deployed-addresses

Prioritized Vulnerabilities

We are especially interested in receiving and rewarding vulnerabilities of the following types:

• Loss of collateral or stealing of funds from the mAsset, resulting in it becoming under-collateralised
  • related: contracts/masset/*/*
• Unfair payouts through SAVE, MINT, REDEEM or SWAP functionalities that results in under-collateralised or affected system
  • related: contracts/masset/**/*, contracts/savings/*
• Manipulating or circumvention of mStable governance mechanism
  • related: contracts/nexus/Nexus.sol, contracts/governance/*
• Locking or freezing or any of the mStable contracts or inability to upgrade
  • related: contracts/upgradability/*
• Ineffective or error prone forge validation mechanisms
  • related: contracts/masset/forge-validator/*

Additionally, mStable seeks reports of the following Immunefi Common Vulnerabilities.

The following Immunefi Commonly Excluded Vulnerabilities are excluded from the mStable bug bounty program.

Rules

• Public disclosure of the vulnerability, before explicit consent from mStable to do so, will make the vulnerability ineligible for a bounty
• Attempting to exploit the vulnerability in any public Ethereum network will also make it ineligible for a bounty
• Only unknown vulnerabilities will be awarded a bounty; in case of duplicate reports, the first report will be awarded the bounty
• If you want to add more information to a provided issue, create a new submission giving reference to the initial one
• Rewards will be decided on a case by case basis and the bug bounty program, terms, and conditions are at the sole discretion of mStable
• Submissions need to be related with the Bounty Scope. Submissions out of the Bounty Scope won’t be eligible for a reward
• Any interference with the protocol, client or platform services, on purpose or not during the process will make the submission invalid
• Terms and conditions of the bug bounty process may vary over time
• It is mandatory to read and follow the responsible disclosure policy available in the references. Submissions not following the disclosure policy will not be eligible for a reward

Participants in the mStable bug bounty program must also follow the Immunefi Standard Rules.