Yearn Finance

Yearn Finance is a suite of products in Decentralized Finance (DeFi) that provides lending aggregation and yield generation on the Ethereum blockchain. The protocol is maintained by various independent developers and is governed by YFI holders. Their products include:

Vaults Capital pools that automatically generate yield based on opportunities present in the market. Vaults benefit users by socializing gas costs, automating the yield generation and rebalancing process, and automatically shifting capital as opportunities arise. End users also do not need to have a proficient knowledge of the underlying protocols involved or DeFi, thus the Vaults represent a passive-investing strategy.

Further resources regarding Yearn Finance can be found on their website, https://yearn.finance/ and documentation.

The bug bounty program is focused around its smart contracts and is mostly concerned with the prevention of the loss of user funds.

Rewards for Smart Contract vulnerabilities are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps and smart contracts/blockchains, encompassing everything from consequence of exploitation to privilege required to likelihood of a successful exploit.

To determine the final reward amount, the likelihood to have a meaningful impact on availability, integrity, and/or loss of funds is considered. The final decision on the payout amount will be determined by the Yearn Finance team at its discretion.

Payouts are handled by the Yearn Finance team directly and are denominated in USD. Payouts can be made in USDC, DAI, YFI, or their Yearn Vault counterparts.

Smart Contract

Finding More Assets in Scope Yearn adds and removes Vaults and Strategies from Production on an ongoing basis. Yearn provides helper contracts (see table below) to list the actual contracts that are considered in scope for this bug bounty program.

The following functions can be called to obtain a list of smart contract addresses that are currently in Production and that are covered by the program:

Functions to list bounty program contracts: StrategiesHelper - assetsStrategiesAddresses()

AddressesGeneratorV2Vaults - assetsAddresses()

AddressesGeneratorIronBank - assetsAddresses()

Other contracts, outside of the ones mentioned here, might be considered on a case by case basis, as long as economic damage can be achieved.

For more further information about in-scope contracts from yearn refer to the following doc https://github.com/yearn/yearn-security/blob/master/SECURITY.md. For information about vaults and strategiesplease refer to their GitHub repository - https://github.com/yearn/yearn-vaults. Additionally, you may refer to https://seafood.yearn.watch and https://yearn.watch/stats for more information about each smart contract.

Submission Requirements

In order to be considered for a reward, all bug reports must contain the following:

• Description of suspected vulnerability
• Steps to reproduce the issue
• A valid POC showing the attack where the outcome has clear economic damage for any of the contracts listed in scope.
• Your name and/or colleagues if you wish to be later recognized
• (Optional) A patch and/or suggestions to resolve the vulnerability

Ethical Behavior Requirements

Responsible disclosure is predicated on ethical behavior. These guidelines outline best practices for the community as whole, whether you are reporting, or the recipient of a report. By stating that you adhere to this policy, you’re claiming to handle vulnerability information ethically, and abide by the following:

• Do not attempt to leverage a vulnerability, or information of its existence, as part of a financial trading strategy or otherwise for financial gain.
• Do not attempt to compromise systems upon which development of a product relies; including but not limited to compromising development systems, accounts, domains, email etc..
• Do not attempt to sell vulnerability information or exploits.
• Do not ask for any form of compensation from an affected party. You may compensate a disclosing party if you would like to after all known vulnerability details have been disclosed.
• Do not disclose a bug or vulnerability on mailing lists, public boards, forums, social media or any other channel prior to Responsibly Disclosing to the organizations you have a published relationship with
• Do not attempt any illegal acts, including phishing, physical attacks, DDoS, or any attempt to gain access without authorization

3rd Party Affected Projects

In the case where we become aware of security issues affecting other projects that has never affected Yearn, our intention is to inform those projects of security issues on a best effort basis.

In the case where we fix a security issue in Yearn that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in the adopted standard, subject to the deviations described in the deviations section below.

Deviations from the Standard

In the case of a counterfeiting or fund-stealing bug affecting Yearn, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.

The following vulnerabilities are excluded from the rewards for this bug bounty program:

• Attacks that the reporter has already exploited themselves, leading to damage
• Attacks requiring access to leaked keys/credentials
• Attacks requiring access to privileged addresses (governance, strategist) This includes roles that potentially can be opened.
• Incorrect data supplied by third party oracles
  • Not to exclude oracle manipulation/flash loan attacks
• Basic economic governance attacks (e.g. 51% attack)
• Lack of liquidity
• Best practice critiques
• Sybil attacks
• Any report for the following helper contracts are not valid for bounties or in scope:
  • https://etherscan.io/address/0x5b4F3BE554a88Bd0f8d8769B9260be865ba03B4a
  • https://etherscan.io/address/0x437758D475F70249e03EDa6bE23684aD1FC375F0
  • https://etherscan.io/address/0xa0B57619A980DFEfD50f24F310EE1b55A40A9D46
  • https://ftmscan.com/address/0x97D0bE2a72fc4Db90eD9Dbc2Ea7F03B4968f6938
  • https://ftmscan.com/address/0x8ca27a3ab8917a033f278D20135d2467faA099bA
  • https://ftmscan.com/address/0x5ABdfDfa0cF2d83c4755E0a2a782eF57FEd5c23B
  • https://arbiscan.io/address/0x3a8efa2d87d60c0289f19b44a0928f4269c0f094
  • https://arbiscan.io/address/0x66a1a27f4b22dcaa24e427dcffbf0cddd9d35e0f
  • https://optimistic.etherscan.io/address/0xD63aB09ac2048a7eCac92f0fFad5F104edD0E032
  • https://optimistic.etherscan.io/address/0xD3A93C794ee2798D8f7906493Cd3c2A835aa0074

Rules

The rules of this bug bounty are as follows:

• Bug has not been publicly disclosed.
• Vulnerabilities that have been previously submitted by another contributor or already known by the Yearn development team are not eligible for rewards.
• The size of the bounty payout depends on the assessment of the severity of the exploit. Please refer to the rewards section below for additional details.
• Bugs must be reproducible in order for us to verify the vulnerability.
• Rewards and the validity of bugs are determined by the Yearn security team and any payouts are made at their sole discretion.
• Terms and conditions of the Bug Bounty program can be changed at any time at the discretion of Yearn.
• Details of any valid bugs may be shared with complementary protocols utilized in the Yearn ecosystem in order to promote ecosystem cohesion and safety.

Bug Bounty FAQ

Q: Is there a time limit for the Bug Bounty program? A: No. The Bug Bounty program currently has no end date, but this can be changed at any time at the discretion of Yearn.

Q: Can I submit bugs anonymously and still receive payment? A: Yes. If you wish to remain anonymous you can do so and still be eligible for rewards as long as they are for valid bugs. Rewards will be sent to the valid Ethereum address that you provide.

Q: Can I donate my reward to charity? A: Yes. You may donate your reward to a charity of your choosing, or to a gitcoin grant.