Arcade.xyz
Arcade.xyz is the first of its kind Web3 platform to enable liquid lending markets for NFTs. At Arcade.xyz, we think all assets will eventually become digitized and that NFTs represent a 0 to 1 innovation in storing value and ownership attribution for unique digital assets.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Only the following impacts are accepted within this bug bounty program. All other impacts are not considered as in-scope, even if they affect something in the assets in scope table.
Ability for an attacker to cause the entire protocol to freeze, including loans in which they are not a counterparty
Ability for an attacker to steal any asset held by the protocol, without limitation, including loans in which they are not a counterparty
Ability for an attacker to claim collateral for defaulted loans in which they are not a counterparty
Direct theft of any staking user funds, whether at-rest or in-motion
Permanent freezing of staked funds
With the attacker as a borrower, the ability to regain control of collateral without repaying your loan
With the attacker as a borrower, the ability to force your lender to issue loan funding without placing collateral in escrow
With the attacker as a borrower, the ability to prevent a lender from claiming collateral when a loan is defaulted
With the attacker as a lender, the ability to claim collateral before your loan’s due date
With the attacker as a lender, the ability to prevent borrower repayments to force a default
With the attacker as a lender, the ability to force a borrower to place collateral in escrow without issuing funding
With the attacker as either counterparty, the ability to force another party to enter a loan under terms they did not consent to either via signature, or the other party submitting a function call
Out of scope
Within the defined scope above, the general rules are that
The bug bounty is based on the following assumptions about token behavior:
- External token contracts (for collateral and principal currency) are assumed to follow relevant token standards (ERC20, ERC721, ERC1155).
- Any attack related to token upgradeability is out of scope.
- Lost principal or fees related to fee-on-transfer tokens are out of scope.
- Attacks related to special admin permission of tokens (e.g. an ERC721 or ERC20 where admins can transfer any user’s tokens) are out of scope.
- Attacks related to explicitly malicious implementations of standard token functions (e.g. ERC20 tokens that consume the block gas limit on transfer) are out of scope.
The bug bounty assumes the following operational and trust models:
- For any contract which is Ownable or contains privileged operations for certain addresses (e.g. upgradeable contracts), the owner addresses are assumed to behave rationally and honestly.
- All contracts should be assumed to be deployed and configured correctly.
- Each counterparty in the loan process is assumed to act in their own financial self-interest.
- Users in the staking process are assumed to act in their own financial self-interest.
- Any finding or impact which is derived from one of the above assumptions being broken (e.g., an upgradeable ERC20 that can be made to fail on transfer via upgrade) is out of scope for this program.
Any finding or impact which is derived from one of the above assumptions being broken (e.g., an ERC721 that does not revert on a failed transfer, or an upgradeable ERC20 that can be made to fail on transfer via upgrade) is out of scope for this program.
Any finding based on one counterparty misleading the other as to the nature of the loan principal or collateral is out of scope. For instance, a borrower using a fake BAYC contract as collateral to trick a lender into giving favorable terms is an attack that is out of scope for this program.
Any attack related to convincing lenders to lend against assets flagged as stolen on other platforms (e.g. OpenSea) is out of scope.
Any phishing attack that requires social engineering in order to convince one counterparty to enter a loan under false pretenses (e.g. forcing them to sign loan terms differing from ones on a phishing UI), is considered out of scope for this program.
- Any attack that has been previously reported, whether or not it has been publicly disclosed
- Best practice critiques
- Non-protocol related attacks around signatures (e.g. phishing sites that entice users to sign signatures with unfavorable terms)
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
43k