SparkLend is a DAI-centric decentralised non-custodial liquidity market protocol where users can participate as suppliers or borrowers. Suppliers provide liquidity to the market to earn a passive income, while borrowers are able to borrow in an overcollateralised (perpetually) or undercollateralised (one-block liquidity) fashion.
For more information about Spark, please visit https://spark.fi/
SparkLend provides rewards in DAI. For more details about the payment process, please view the Rewards by Threat Level section further below.
SparkLend adheres to category 3. This Policy determines what information whitehats are allowed to make public from their submitted bug reports. For more information about the category selected, please refer to our Responsible Publication page.
Primacy of Impact vs Primacy of Rules
SparkLend adheres to the Primacy of Impact for the following impacts:
- Smart Contract - Critical
If an impact is covered within the Primacy of Impact, it means that even if the impacted asset is not in-scope but is owned by the project, then it would be considered as in-scope of the bug bounty program. When submitting a report, just select the Primacy of Impact asset placeholder. If the team behind this project has multiple projects, those other projects are not covered under the Primacy of Impact of this program. Instead, check if those other projects have a bug bounty program on Immunefi.
Testnet and mock files are not covered under the Primacy of Impact.
All other impacts are considered under the Primacy of Rules, which means that they are bound by the terms of the bug bounty program.
Known Issue Assurance
SparkLend commits to providing Known Issue Assurance to bug submissions through their program. This means that SparkLend will either disclose known issues publicly or at the very least privately via a self-reported bug submission in order to allow for a more objective and streamlined mediation process to prove that an issue is known. Otherwise, assuming the bug report itself is valid, it would result in the bug report being considered in-scope and due 100% of the reward with respect to the bug bounty program terms.
Immunefi Standard Badge
SparkLend has satisfied the requirements for the Immunefi Standard Badge, which is given to projects that adhere to our best practices.
Rewards by Threat Level
Rewards are distributed according to the impact the vulnerability could otherwise cause based on the Impacts in Scope table further below.
Reward Calculation for Critical Level Reports
For critical Smart Contract bugs, the reward amount is 10% of the funds directly affected up to a maximum of USD 5 000 000. The calculation of the amount of funds at risk is based on the time and date the bug report is submitted. However, a minimum reward of USD 50 000 is to be rewarded in order to incentivize security researchers against withholding a bug report.
Repeatable Attack Limitations
In cases of repeatable attacks for smart contract bugs, only the first attack is considered if the smart contracts where the vulnerability exists can be upgraded, paused, or killed. If the attack impacts a smart contract directly holding funds that cannot be upgraded or paused, the amount of funds at risk will be calculated with the impact of the first attack being at 100% and then for every 300 blocks the attack needs for subsequent attacks from the first attack the impact will be counted at a reduction of 25% from the impact of the first attack, rounded down. For avoidance of doubt, if a second attack would happen at 600 blocks and then a third at 900 blocks, the funds at risk would be counted at 50% and 25% of the reward from the first attack, respectively.
However, for smart contracts directly holding funds that cannot be paused, if a discovered vulnerability includes the temporary locking of funds that could otherwise be withdrawn and thus prevented from being stolen but still accessible to the exploiter to take the funds, the time is extended to the exact same time as temporary locking. Extensions of the temporary locking that introduce a gap where withdrawals can happen will not be considered.
Reward Calculation for High Level Reports
High smart contract impacts will be capped at up to 100% of the funds affected. In the event of temporary freezing, the reward doubles for every additional 300 blocks that the funds could be temporarily frozen, rounded down to the nearest multiple of 300, up to the hard cap of USD 100 000. However, if it is within the hard cap, there is a further hard cap of 1000% of the funds affected.
However, a temporary freezing impact with less than 150 blocks will be rewarded the flat amount of USD 10 000.
Restrictions on Security Researcher Eligibility
Security researchers who fall under any of the following are ineligible for a reward
- Compensated contributors of Spark and/or MakerDAO who have written code for at least one of the assets in scope below
SparkLend has provided these completed audit review reports for reference. Any unfixed vulnerability mentioned in these reports are not eligible for a reward.
Bug reports that require an attack that involve one or more other protocols (e.g. utilizing flash loans from a margin protocol or manipulating the spot prices on a DEX), either to make an attack more severe than it would be in isolation, or to achieve an attack that would otherwise be impossible or infeasible, would be downgraded or rejected entirely. However, they will be considered as in-scope and categorized according to the program rules as long as all of the following are true:
- Losses or other negative effects of the attack are inflicted upon SparkLend ecosystem participants
- The additional protocols used must have enough liquidity in various assets to allow the attack to succeed at the time of bug report submission. For example: if an attack requires an ETH flash loan, but the amount is larger than all the ETH available for loan across the ecosystem
Proof of Concept (PoC) Requirements
A PoC is required for the following severity levels:
- Smart Contract - Critical
- Smart Contract - High
All PoCs submitted must comply with the Immunefi-wide PoC Guidelines and Rules. Bug report submissions without a PoC when a PoC is required will not be provided with a reward.
Other Terms and Information
- In the calculation of the USD value of the total value locked metric in determining the funds at risk, it does not include outstanding borrows.
- Referenced libraries, proxy implementations and inherited contracts of all listed assets in scope are also considered in scope of the bug bounty program.
- In selecting an asset in scope that is impacted, please select the most relevant asset.
- In order to be eligible for a reward, the vulnerability must exist in the deployed smart contract and not just the GitHub file. In the event that a vulnerability exists on the GitHub file but not on the most recently deployed contract, this may be due to a fix to address a vulnerability but done in a discreet manner until proper communication can be done.
Reward Payment Terms
Reward Denomination: Payments are denominated in USD. However, payouts are done in DAI assuming a full 1:1 ratio with the USD. However, if the price of DAI deviates from the USD value by more than 1%, the amount of DAI will be adjusted.
Payout Process: All bounty payouts are handled by MakerDAO governance. Upon confirmation, bug bounty payouts should be included in the next possible ‘executive spell’, which is a governance vote with an onchain payload attached to it. This would involve sending DAI directly from the protocol’s buffer to the whitehat hacker.
Immunefi will publicly contact one of the Governance Facilitators with the request, including a specification of the respective vulnerability report, the requested amount and the Ethereum mainnet addresses of the beneficiaries. This should also include the payment details of the Immunefi fee, if it applies. Immunefi and the Maker Governance Facilitators should make sure the payout occurs up to one full calendar month after the report was approved.
For bug bounty rewards over USD 1 000 000, after the first million is paid out, the remaining amount is paid out over time with up to USD 1 000 000 per consecutive month until the determined amount for payout is reached.
- USD $50,000 to USD $5,000,000
- USD $10,000 to USD $100,000
Assets in scope
- Smart Contract - AaveOracleType
- Smart Contract - ACLManagerType
- https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/tokenization/AToken.solTargetSmart Contract - AToken (proxy)Type
- Smart Contract - DaiInterestRateStrategyType
- https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/pool/DefaultReserveInterestRateStrategy.solTargetSmart Contract - DefaultReserveInterestRateStrategyType
- Smart Contract - EmissionsManagerType
- Smart Contract - Incentives (proxy)Type
- Smart Contract - Pool (proxy)Type
- Smart Contract - PoolAddressProviderType
- Smart Contract - PoolAddressProviderRegistryType
- Smart Contract - PoolConfigurator (proxy)Type
- Smart Contract - SavingsDaiOracleType
- https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/tokenization/StableDebtToken.solTargetSmart Contract - StableDebtToken (proxy)Type
- Smart Contract - Treasury (proxy)Type
- Smart Contract - TreasuryControllerType
- https://github.com/marsfoundation/aave-v3-core/blob/master/contracts/protocol/tokenization/VariableDebtToken.solTargetSmart Contract - VariableDebtToken (proxy)Type
- Smart Contract - WethGatewayType
- TargetSmart Contract - Primacy of ImpactType
All code of SparkLend can be found in the following repositories:
Documentation for the assets provided in the table can be found at https://devs.spark.fi/
Impacts in scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
- Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yieldCriticalImpact
- Permanent freezing of fundsCriticalImpact
- Protocol insolvencyCriticalImpact
- Theft of unclaimed yieldHighImpact
- Permanent freezing of unclaimed yieldHighImpact
- Temporary freezing of fundsHighImpact
Out of Scope & Rules
These impacts are out of scope for this bug bounty program.
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (governance, strategist) except in such cases where the contracts are intended to have no privileged access to functions that make the attack possible
- Impacts relying on attacks involving the depegging of an external stablecoin or asset (e.g., wstETH) where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
The following activities are prohibited by this bug bounty program:
- Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
- Any testing with pricing oracles or third-party smart contracts
- Attempting phishing or other social engineering attacks against our employees and/or customers
- Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
- Any denial of service attacks that are executed against project assets
- Automated testing of services that generates significant amounts of traffic
- Public disclosure of an unpatched vulnerability in an embargoed bounty