Immunefi
Immunefi
Back to Explore
Hydration-logo

Hydration

Hydration is the leading liquidity protocol on Polkadot. Its mission is to make DeFi efficient, simple, and unstoppable. To achieve this, Hydration unites swaps, lending and a stablecoin currency under the roof of a single, scalable appchain.

Polkadot
Blockchain
Defi
AMM
DEX
Staking
Rust
Maximum Bounty
$1,000,000
Live Since
20 February 2023
Last Updated
04 December 2024

  • PoC required

Submit a Bug
InformationScopeResources

Select the category you'd like to explore

Assets in Scope

Target
Type
Blockchain/DLT - EVM precompiles
Added on
21 May 2024
Target
Type
Blockchain/DLT - EVM precompiles
Added on
21 May 2024
Target
Type
Blockchain/DLT - EVM precompiles
Added on
21 May 2024
Target
Type
Websites and Applications - repo #2
Added on
19 March 2024
Target
Type
Websites and Applications - repo #1
Added on
19 March 2024
Target
Type
Blockchain/DLT - traits lib
Added on
19 March 2024
Target
Type
Blockchain/DLT - XYK Math
Added on
19 March 2024
Target
Type
Blockchain/DLT - pallet-xyk
Added on
19 March 2024
Target
Type
Blockchain/DLT - pallet-xyk
Added on
19 March 2024
Target
Type
Blockchain/DLT - pallet-xyk
Added on
19 March 2024
Target
Type
Blockchain/DLT - pallet-xyk
Added on
19 March 2024
Target
Type
Blockchain/DLT - Rate Limiter Math
Added on
19 March 2024

Impacts in Scope

Severity
Critical
Title

Governance compromise

Severity
Critical
Title

Identity theft that compromises user’s assets (fungible, non-fungibles)

Severity
Critical
Title

Unauthorized token minting

Severity
Critical
Title

Unauthorized NFT minting

Severity
Critical
Title

Omnipool account theft

Severity
Critical
Title

Omnipool manipulation resulting in loss/theft of liquidity

Severity
Critical
Title

Double spending

Severity
Critical
Title

Direct loss of funds

Severity
Critical
Title

Transaction/consensus manipulation

Severity
Critical
Title

Direct theft of user’s assets (fungibles, non-fungibles)

Severity
Critical
Title

Performing state modifying action without user’s consent such as making trades, transfers, withdrawals etc.

Severity
Critical
Title

Subdomain takeover (only applies to main Hydration web app)

View rewards

Out of scope

Program's Out of Scope information
  • Best practice critiques
  • DDoS vulnerabilities
  • Feature requests
  • Issues related to the frontend without concrete impact and PoC
  • Best practices issues without concrete impact and PoC
Default Out of Scope and rules

Blockchain/DLT specific

  • Incorrect data supplied by third party oracles
    • Not to exclude oracle manipulation/flash loan attacks
  • Impacts requiring basic economic and governance attacks (e.g. 51% attack)
  • Lack of liquidity impacts
  • Impacts from Sybil attacks
  • Impacts involving centralization risks

All categories

  • Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
  • Impacts caused by attacks requiring access to leaked keys/credentials
  • Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
  • Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
  • Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
  • Best practice recommendations
  • Feature requests
  • Impacts on test files and configuration files unless stated otherwise in the bug bounty program
  • Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
Total Assets in Scope
68
Total Impacts in Scope
22
Total paid

456k