mStable
Submit a BugProgram Overview
Released in May 2020, mStable is a protocol that unites stablecoins, lending and swapping into one robust and easy to use standard. Three major problems confront stablecoin users: significant fragmentation in same-peg assets; lack of native yield when it is being increasingly demanded by users; lack of insurance against permanent capital loss. mStable’s products (SWAP, SAVE and EARN) are built specifically to address these pain-points.
Rewards by Threat Level
Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.
Payouts are handled by mStable directly and are denominated in USD. Payouts are made in mUSD.
Smart Contract
- Critical
- Level
- USD $50,000
- Payout
- High
- Level
- USD $8,000
- Payout
- Medium
- Level
- USD $4,000
- Payout
- Low
- Level
- USD $1,250
- Payout
- Informational
- Level
- USD $0
- Payout
Assets in scope
- Smart Contract - StakedTokenMTA: Vault that stakes MTAType
- Smart Contract - StakedTokenBPT: Vault that stakes the MTA/ETH 80/20 Balancer Pool Token (BPT).Type
- Smart Contract - Masset: mUSDType
- Smart Contract - SavingsContract: mUSD Savings ContractType
- Smart Contract - Masset: mBTCType
- Smart Contract - SavingsContract: imBTCType
- Smart Contract - MassetManager: Manager contract for mAssetsType
- Smart Contract - SavingsManager: Validates and distributes system revenue to saversType
- Smart Contract - InvariantValidator: Builds on and enforces the StableSwap invariantType
- Smart Contract - BoostedSavingsVault: Savings VaultType
- Smart Contract - UnliquidatorType
- Smart Contract - QuestManager: Quest Manager that can add, complete and expire questsType
- Smart Contract - SaveWrapper: Facilitates minting, deposits and staking of massets (mUSD and mBTC)Type
- Smart Contract - Unwrapper: Facilitates direct withdrawals from the VaultsType
- Smart Contract - BoostDirector: Supports the directing of staked Meta (vMTA) balances to boosted vaults.Type
- Smart Contract - Nexus: Resolves module addressesType
- Smart Contract - RewardsDistributor: Distributes MTA rewards to vaultsType
- Smart Contract - DelayedProxyAdmin: Administors proxy contracts with a one week time delayType
- Smart Contract - InstantProxyAdmin: Administors proxy contracts with no time delayType
- Smart Contract - SignatureVerifier: Used to verify quest completions signaturesType
- Smart Contract - PAaveIntegration: mUSD Aave V2 integrationType
- Smart Contract - CompoundIntegration: mUSD Compound IntegrationType
- Smart Contract - BoostedSavingsVault: imBTC VaultType
- Smart Contract - Masset: mUSDType
- Smart Contract - MassetManager: Library contract for mUSDType
- Smart Contract - MassetLogic: Library contract for mUSDType
- Smart Contract - SavingsContract: imUSDType
- Smart Contract - SavingsManager: Validates and distributes system revenue to saversType
- Smart Contract - Masset: imUSD VaultType
- Smart Contract - DelayedProxyAdmin: Time delayed proxy adminType
- Smart Contract - PAaveIntegration: Aave integration contractType
- Smart Contract - SaveWrapper: Facilitates minting, deposits and staking of massets (mUSD and mBTC)Type
- Smart ContractType
- Smart Contract - Nexus: Resolves module addressesType
- Smart Contract - RewardsDistributor: Distributes MTA rewards to vaultsType
- Smart Contract - Basic Rewards ForwarderType
- TargetSmart Contract - Bridge ForwarderType
- Smart Contract - Emissions ControllerType
- Smart Contract - L2 Bridge RecipientType
- Smart Contract - L2 Emissions ControllerType
- Smart Contract - CowSwapDexType
- Smart Contract - Liquidator ImplType
- Smart Contract - Liquidator ProxyType
- Smart Contract - Curve3CrvMetapoolCalculatorLibraryType
- Smart Contract - Curve3CrvFactoryMetapoolCalculatorLibraryType
- Smart Contract - Curve3CrvCalculatorLibraryType
- Smart Contract - mUSD Convex Vault implType
- Smart Contract - mUSD Convex Vault proxyType
- Smart Contract - FRAX Convex Vault implType
- Smart Contract - FRAX Convex Vault proxyType
- Smart Contract - BUSD Convex Vault implType
- Smart Contract - BUSD Convex Vault proxyType
- Smart Contract - 3Crv Meta Vault implType
- Smart Contract - 3Crv Meta Vault proxyType
- Smart Contract - USDC 3CRV Convex Meta Vault implType
- Smart Contract - USDC 3CRV Convex Meta Vault proxyType
Any Proxy contracts listed in the Assets in Scope table also include the currently active logic contracts, and any external or internal libraries that are used in these.
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Smart Contract
- Any governance voting result manipulationCriticalImpact
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Theft of unclaimed yieldHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Temporary freezing of fundsHighImpact
- Smart contract unable to operate due to lack of token fundsMediumImpact
- Block stuffing for profitMediumImpact
- Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)MediumImpact
- Theft of gasMediumImpact
- Unbounded gas consumptionMediumImpact
- Contract fails to deliver promised returns, but doesn't lose valueLowImpact
Out of Scope & Rules
The following Immunefi Commonly Excluded Vulnerabilities are excluded from the mStable bug bounty program.
The following activities are prohibited by bug bounty program:
- Any testing with mainnet or public testnet contracts; all testing should be done on private testnets
- Any testing with pricing oracles or third party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty