Folks Finance-logo

Folks Finance

Folks Finance is a community-driven DeFi protocol offering a variety of tools for digital asset management

Algorand
Defi
Lending
Python
Maximum Bounty
$100,000
Live Since
31 March 2022
Last Updated
06 December 2024
  • PoC required

  • KYC required

Rewards

Folks Finance provides rewards in USDCa on Algorand, denominated in USD.

Rewards by Threat Level

Smart Contract
Critical
Max: $100,000Min: $25,000
Primacy of Rules
High
Max: $25,000Min: $5,000
Primacy of Rules
Medium
Flat: $2,000
Primacy of Rules
Low
Flat: $1,000
Primacy of Rules
Critical Reward Calculation

Mainnet assets:

Reward amount is 10% of the funds directly affected up to a maximum of:

$100,000

Minimum reward to discourage security researchers from withholding a bug report:

$25,000

From December 9th through December 19th Folks Finance is hosting an Audit Competition on their new Liquid Staking contract.

For the duration of the Audit Competition, all vulnarbilities submitted on https://lora.algokit.io/mainnet/application/1134695678 for this Bug Bounty Program will be closed as out-of-scope and will not be rewarded.

Rewards are distributed according to the impact of the vulnerability based on the Immunefi Vulnerability Severity Classification System V2.2. This is a simplified 5-level scale, with separate scales for websites/apps, smart contracts, and blockchains/DLTs, focusing on the impact of the vulnerability reported.

Smart Contract bug reports require a PoC and a suggestion for a fix to be eligible for a reward. Explanations and statements are not accepted as PoC and code is required.

High and Critical smart contract vulnerabilities are capped at 10% of economic damage, primarily taking into consideration funds at risk, but also PR and branding aspects, at the discretion of the team. However, there is a minimum reward of USD 25 000 for Critical and USD 5 000 for High.

All vulnerabilities marked in the following Github repository https://github.com/Folks-Finance/audits are ineligible for a reward

Bug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. Previous known issues can be found at https://github.com/Folks-Finance/folks-finance-xchain-contracts/issues?q=is%3Aissue+is%3Aclosed.

In addition, below are known issues that the project is aware of but has consciously decided not to “fix”:

  • Griefing through consuming external rate limits of tokens e.g. Circle CCTP rate limits for USDC
  • Griefing through consuming internal rate limits where we have the ability to respond by temporarily boosting capacity
  • Dust positions not being liquidated because of gas fees
  • Manipulation of stable borrow rate to get cheaper borrow
  • Liquidation leading to bad debt when we are prioritising the certainty of a lesser amount of bad debt against the risk of incurring a larger amount of bad debt
  • LiquidationLogic::getMaxRepayBorrowValue can panic if privileged address sets certain parameters

KYC shall be completed for bug bounty hunters submitting a vulnerability report and requesting a reward for Critical and High Smart Contracts vulnerabilities. The basic information needed is full name, residential address, and passport details (DOB, issuing country and passport number). Based on the basic information submitted, Folks Finance team may request further information at its sole discretion for compliance with applicable Laws.

Additionally, all levels of bug bounty hunters submitting a vulnerability report and requesting a reward need to submit certification that (i) they are not acting, directly or indirectly, for or on behalf of any person, group entity, or nation named by any Executive Order or the United States Treasury Department as a terrorist, “Specially Designated National and Blocked Person,” or other banned or blocked person, entity, nation, or transaction pursuant to any law, order, rule or regulation that is enforced or administered by the Office of Foreign Assets Control; and (ii) they are not engaging in, instigating or facilitating this transaction, directly or indirectly, on behalf of any such person, group, entity, or nation. They also need to submit an attestation that all information provided is true, correct, up-to-date and not misleading. The collection of this information will be done by the Folks Finance team.

Payouts are handled by the Folks Finance team directly and are denominated in USD. However, payouts are done in USDCa.

Program Overview

Folks Finance is a community-driven DeFi protocol offering a variety of tools for digital asset management

For more information about Folks Finance, please visit https://folks.finance/.

This bounty program will expire on 31.12.2024

KYC required

The submission of KYC information is a requirement for payout processing.

Proof of Concept

Proof of concept is always required for all severities.

Responsible Publication

Category 3: Approval Required

Prohibited Activities

Default prohibited activities
  • Any testing on mainnet or public testnet deployed code; all testing should be done on local-forks of either public testnet or mainnet
  • Any testing with pricing oracles or third-party smart contracts
  • Attempting phishing or other social engineering attacks against our employees and/or customers
  • Any testing with third-party systems and applications (e.g. browser extensions) as well as websites (e.g. SSO providers, advertising networks)
  • Any denial of service attacks that are executed against project assets
  • Automated testing of services that generates significant amounts of traffic
  • Public disclosure of an unpatched vulnerability in an embargoed bounty
  • Any other actions prohibited by the Immunefi Rules

Feasibility Limitations

The project may be receiving reports that are valid (the bug and attack vector are real) and cite assets and impacts that are in scope, but there may be obstacles or barriers to executing the attack in the real world. In other words, there is a question about how feasible the attack really is. Conversely, there may also be mitigation measures that projects can take to prevent the impact of the bug, which are not feasible or would require unconventional action and hence, should not be used as reasons for downgrading a bug's severity.

Therefore, Immunefi has developed a set of feasibility limitation standards which by default states what security researchers, as well as projects, can or cannot cite when reviewing a bug report.

Severity
Min. - Max.
Critical
$25k -$100k
High
$5k -$25k
Medium
$2k
Low
$1k
Total Assets in Scope
2