MetaStreet
The MetaStreet v2 Pool is a permissionless NFT-collateralized lending pool with automatic tranching. Pool is responsible for organizing lending capital with different risk and rate profiles from depositors into fixed-duration loans for borrowers.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Direct theft of any user NFTs, whether at-rest or in-motion, other than unclaimed royalties
Permanent freezing of funds
Permanent freezing of NFTs
Creating a loan with a greater principal than allowed by depositor risk limits
Creating a bundle-collateralized loan with a greater multiplier in the principal than there are NFTs in the bundle
Theft of unclaimed yield
Permanent freezing of unclaimed yield
Temporary freezing of funds
Temporary freezing NFTs
Creating interest-free loans of typical principal and duration
Denial of service in loan repayment or liquidation
Out of scope
- Impacts involving unsupported tokens (tokens with transfer hooks (e.g. ERC777), fee-on-transfer tokens, blocklistable tokens, and non-standard ERC20 or ERC721 tokens)
- Impacts involving griefing and/or denial of service in the Collateral Liquidator due to using unsupported tokens
- Impacts involving the Pool or Collateral Liquidator deployed with misconfigured or malicious parameters
- Theft of unclaimed yield by speculation on loan repayment or liquidation
- Freezing of tokens or funds due to unsupported airdrops to assets in escrow
- Interest-free loans caused by integer truncation due to short duration, small principal, or small interest rate
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers