mStable Bug Bounties

Program Overview

Released in May 2020, mStable is a protocol that unites stablecoins, lending and swapping into one robust and easy to use standard. Three major problems confront stablecoin users: significant fragmentation in same-peg assets; lack of native yield when it is being increasingly demanded by users; lack of insurance against permanent capital loss. mStable’s products (SWAP, SAVE and EARN) are built specifically to address these pain-points.

Rewards by Threat Level

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

Payouts are handled by mStable directly and are denominated in USD. Payouts are made in mUSD.

Smart Contract

Critical
Level: USD $50,000
Payout

High
Level: USD $8,000
Payout

Medium
Level: USD $4,000
Payout

Low
Level: USD $1,250
Payout

Informational
Level: USD $0
Payout

Assets in scope

https://etherscan.io/address/0x8f2326316eC696F6d023E37A9931c2b2C177a3D7
Target
Smart Contract - StakedTokenMTA: Vault that stakes MTA
Type
https://etherscan.io/address/0xeFbe22085D9f29863Cfb77EEd16d3cC0D927b011
Target
Smart Contract - StakedTokenBPT: Vault that stakes the MTA/ETH 80/20 Balancer Pool Token (BPT).
Type
https://etherscan.io/address/0xe2f2a5C287993345a840Db3B0845fbC70f5935a5
Target
Smart Contract - Masset: mUSD
Type
https://etherscan.io/address/0x30647a72dc82d7fbb1123ea74716ab8a317eac19
Target
Smart Contract - SavingsContract: mUSD Savings Contract
Type
https://etherscan.io/address/0x945Facb997494CC2570096c74b5F66A3507330a1
Target
Smart Contract - Masset: mBTC
Type
https://etherscan.io/address/0x17d8CBB6Bce8cEE970a4027d1198F6700A7a6c24
Target
Smart Contract - SavingsContract: imBTC
Type
https://etherscan.io/address/0x2837C77527c37d61D9763F53005211dACB4125dE
Target
Smart Contract - FeederLogic: Library contract for Feeder Pools
Type
https://etherscan.io/address/0x90aE544E8cc76d2867987Ee4f5456C02C50aBd8B
Target
Smart Contract - FeederManager: Library contract for Feeder Pools
Type
https://etherscan.io/address/0x1E91F826fa8aA4fa4D3F595898AF3A64dd188848
Target
Smart Contract - MassetManager: Manager contract for mAssets
Type
https://etherscan.io/address/0xBC3B550E0349D74bF5148D86114A48C3B4Aa856F
Target
Smart Contract - SavingsManager: Validates and distributes system revenue to savers
Type
https://etherscan.io/address/0xca480d596e6717c95a62a4dc1bd4fbd7b7e7d705
Target
Smart Contract - InvariantValidator: Builds on and enforces the StableSwap invariant
Type
https://etherscan.io/address/0x78BefCa7de27d07DC6e71da295Cc2946681A6c7B
Target
Smart Contract - BoostedSavingsVault: Savings Vault
Type
https://etherscan.io/address/0xfE842e95f8911dcc21c943a1dAA4bd641a1381c6
Target
Smart Contract - FeederPool: BUSD Feeder Pool
Type
https://etherscan.io/address/0x4fB30C5A3aC8e85bC32785518633303C4590752d
Target
Smart Contract - FeederPool: GUSD Feeder Pool
Type
https://etherscan.io/address/0x48c59199Da51B7E30Ea200a74Ea07974e62C4bA7
Target
Smart Contract - FeederPool: HBTC Feeder Pool
Type
https://etherscan.io/address/0xb61A6F928B3f069A68469DDb670F20eEeB4921e0
Target
Smart Contract - FeederPool: TBTC Feeder Pool
Type
https://etherscan.io/address/0x4eaa01974B6594C0Ee62fFd7FEE56CF11E6af936
Target
Smart Contract - FeederPool: alUSD Feeder Pool
Type
https://etherscan.io/address/0xe595D67181D701A5356e010D9a58EB9A341f1DbD
Target
Smart Contract - Liquidator: Liquidator
Type
https://etherscan.io/address/0x861f12764780896FD783eA615Dd55Df0FF865752
Target
Smart Contract - QuestManager: Quest Manager that can add, complete and expire quests
Type
https://etherscan.io/address/0xAdeeDD3e5768F7882572Ad91065f93BA88343C99
Target
Smart Contract - BoostedSavingsVault: GUSD Feeder Pool Vault
Type
https://etherscan.io/address/0xF65D53AA6e2E4A5f4F026e73cb3e22C22D75E35C
Target
Smart Contract - BoostedSavingsVault: HBTC Feeder Pool Vault
Type
https://etherscan.io/address/0x760ea8CfDcC4e78d8b9cA3088ECD460246DC0731
Target
Smart Contract - BoostedSavingsVault: TBTC Feeder Pool Vault
Type
https://etherscan.io/address/0x0CA7A25181FC991e3cC62BaC511E62973991f325
Target
Smart Contract - SaveWrapper: Facilitates minting, deposits and staking of massets (mUSD and mBTC)
Type
https://etherscan.io/address/0xBa05FD2f20AE15B0D3f20DDc6870FeCa6ACd3592
Target
Smart Contract - BoostDirector: Supports the directing of staked Meta (vMTA) balances to boosted vaults.
Type
https://etherscan.io/address/0xafce80b19a8ce13dec0739a1aab7a028d6845eb3
Target
Smart Contract - Nexus: Resolves module addresses
Type
https://etherscan.io/address/0x04dfDfa471b79cc9E6E8C355e6C71F8eC4916C50
Target
Smart Contract - RewardsDistributor: Distributes MTA rewards to vaults
Type
https://etherscan.io/address/0x5C8eb57b44C1c6391fC7a8A0cf44d26896f92386
Target
Smart Contract - DelayedProxyAdmin: Administors proxy contracts with a one week time delay
Type
https://etherscan.io/address/0xC973413fe4944682910b97b261456EB9633A4756
Target
Smart Contract - SignatureVerifier: Used to verify quest completions signatures
Type
https://etherscan.io/address/0xA2a3CAe63476891AB2d640d9a5A800755Ee79d6E
Target
Smart Contract - PAaveIntegration: mUSD Aave V2 integration
Type
https://etherscan.io/address/0xD55684f4369040C12262949Ff78299f2BC9dB735
Target
Smart Contract - CompoundIntegration: mUSD Compound Integration
Type
https://etherscan.io/address/0xF38522f63f40f9Dd81aBAfD2B8EFc2EC958a3016
Target
Smart Contract - BoostedSavingsVault: imBTC Vault
Type
https://etherscan.io/address/0x2A15794575e754244F9C0A15F504607c201f8AfD
Target
Smart Contract - CompoundIntegration: BUSD FP Iron Bank Integration for mBTC
Type
https://etherscan.io/address/0xD124B55f70D374F58455c8AEdf308E52Cf2A6207
Target
Smart Contract - BoostedSavingsVault: BUSD Feeder Pool Vault
Type
https://etherscan.io/address/0xaF007D4ec9a13116035a2131EA1C9bc0B751E3cf
Target
Smart Contract - CompoundIntegration: GUSD FP Iron Bank Integration for mBTC
Type
https://etherscan.io/address/0x0997dDdc038c8A958a3A3d00425C16f8ECa87deb
Target
Smart Contract - BoostedSavingsVault: alUSD Feeder Pool Vault
Type
https://etherscan.io/address/0xf1049aeD858C4eAd6df1de4dbE63EF607CfF3262
Target
Smart Contract - InterestValidator: Collects interest and gov fees from Feeder Pools
Type
https://etherscan.io/address/0xA7824292efDee1177a1C1BED0649cfdD6114fed5
Target
Smart Contract - RevenueRecipient: Receives governance fees and deposits to Balancer pool
Type
https://etherscan.io/address/0xd658d5fDe0917CdC9b10cAadf10E20d942572a7B
Target
Smart Contract - AlchemixIntegration: alUSD FP integration to Alchemix's alUSD staking pool
Type
https://polygonscan.com/address/0xE840B73E5287865EEc17d250bFb1536704B43B21
Target
Smart Contract - Masset: mUSD
Type
https://polygonscan.com/address/0xB9E0408bE53a91A31828b3A175230f0dCd8c117e
Target
Smart Contract - MassetManager: Library contract for mUSD
Type
https://polygonscan.com/address/0xB9cCA2B53e8D7bC4cBDDCcb66d20B411B87d213f
Target
Smart Contract - MassetLogic: Library contract for mUSD
Type
https://polygonscan.com/address/0x5290Ad3d83476CA6A2b178Cd9727eE1EF72432af
Target
Smart Contract - SavingsContract: imUSD
Type
https://polygonscan.com/address/0xB30a907084AC8a0d25dDDAB4E364827406Fd09f0
Target
Smart Contract - FeederPool: FRAX Feeder Pool
Type
https://polygonscan.com/address/0x10bFcCae079f31c451033798a4Fd9D2c33Ea5487
Target
Smart Contract - SavingsManager: Validates and distributes system revenue to savers
Type
https://polygonscan.com/address/0x9F1C06CC13EDc7691a2Cf02E31FaAA64d57867e2
Target
Smart Contract - Pliquidator: Liquidates wmatic rewards or USDC
Type
https://polygonscan.com/address/0x32aBa856Dc5fFd5A56Bcd182b13380e5C855aa29
Target
Smart Contract - Masset: imUSD Vault
Type
https://polygonscan.com/address/0xCb6E4B67f2cac15c284AB49B6a4A671cdfe66711
Target
Smart Contract - DelayedProxyAdmin: Time delayed proxy admin
Type
https://polygonscan.com/address/0xeab7831c96876433dB9B8953B4e7e8f66c3125c3
Target
Smart Contract - PAaveIntegration: Aave integration contract
Type
https://polygonscan.com/address/0x4A268958BC2f0173CDd8E0981C4c0a259b5cA291
Target
Smart Contract - InterestValidator: Validates the platform interest collection from the Feeder Pools
Type
https://polygonscan.com/address/0x299081f52738A4204C3D58264ff44f6F333C6c88
Target
Smart Contract - SaveWrapper: Facilitates minting, deposits and staking of massets (mUSD and mBTC)
Type
https://polygonscan.com/address/0x3C6fbB8cbfCB75ecEC5128e9f73307f2cB33f2f6
Target
Smart Contract - Nexus: Resolves module addresses
Type
https://polygonscan.com/address/0x3e9d19ee1893B07e22165C54c205702C90C70847
Target
Smart Contract - RewardsDistributor: Distributes MTA rewards to vaults
Type
https://github.com/mstable/mStable-contracts/blob/master/contracts/emissions/BasicRewardsForwarder.sol
Target
Smart Contract - Basic Rewards Forwarder
Type
https://github.com/mstable/mStable-contracts/blob/master/contracts/emissions/BridgeForwarder.sol
Target
Smart Contract - Bridge Forwarder
Type
https://github.com/mstable/mStable-contracts/blob/master/contracts/emissions/EmissionsController.sol
Target
Smart Contract - Emissions Controller
Type
https://github.com/mstable/mStable-contracts/blob/master/contracts/emissions/L2BridgeRecipient.sol
Target
Smart Contract - L2 Bridge Recipient
Type
https://github.com/mstable/mStable-contracts/blob/master/contracts/emissions/L2EmissionsController.sol
Target
Smart Contract - L2 Emissions Controller
Type

Any Proxy contracts listed in the Assets in Scope table also include the currently active logic contracts, and any external or internal libraries that are used in these.

Impacts in scope

Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.

Smart Contract

Any governance voting result manipulation
Critical
Impact
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Critical
Impact
Permanent freezing of funds
Critical
Impact
Theft of unclaimed yield
High
Impact
Permanent freezing of unclaimed yield
High
Impact
Temporary freezing of funds
High
Impact
Smart contract unable to operate due to lack of token funds
Medium
Impact
Block stuffing for profit
Medium
Impact
Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)
Medium
Impact
Theft of gas
Medium
Impact
Unbounded gas consumption
Medium
Impact
Contract fails to deliver promised returns, but doesn't lose value
Low
Impact

Out of Scope & Rules

The following Immunefi Commonly Excluded Vulnerabilities are excluded from the mStable bug bounty program.

The following activities are prohibited by bug bounty program:

Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
Any testing with pricing oracles or third party smart contracts
Attempting phishing or other social engineering attacks against our employees and/or customers
Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
Any denial of service attacks
Automated testing of services that generates significant amounts of traffic
Public disclosure of an unpatched vulnerability in an embargoed bounty