CTokenNonFiatCollateral (multiple deployments)

ConvexFiatMetapoolCollateral (multiple deployments)

MorphoFiatCollateral (multiple deployments)

MorphoNonFiatCollateral (multiple deployments)

Only those listed in the Assets in Scope table are considered to be in-scope of the bug bounty program. 

__Smart Contracts__ 

- __Smart Contracts - PoC__, Smart Contract bug reports are to include a runnable Proof of Concept (PoC) in order to prove impact.  
- For more information on PoCs please visit: [Proof of Concept (PoC) Guidelines and Rules](https://immunefisupport.zendesk.com/hc/en-us/articles/9946217628561-Proof-of-Concept-PoC-Guidelines-and-Rules)
- All smart contracts of Reserve can be found at:
   - [https://github.com/reserve-protocol/protocol/tree/master/contracts](https://github.com/reserve-protocol/protocol/tree/master/contracts)
- Branches out of scope:  
   - [https://github.com/reserve-protocol/protocol/tree/master/contracts/vendor ](https://github.com/reserve-protocol/protocol/tree/master/contracts/vendor) 

Whitehats are highly encouraged to review any potential subdomains and what specific port(s) are in scope. Even though the domain may be the same, different ports may point to different assets.  

__Dev Environment and Documentation__

Reserve has included dev documentation and/or instructions to help in reviewing code and exploring for bugs:
- [https://github.com/reserve-protocol/protocol/blob/master/README.md](https://github.com/reserve-protocol/protocol/blob/master/README.md)
- [https://github.com/reserve-protocol/protocol/tree/master/docs](https://github.com/reserve-protocol/protocol/tree/master/docs)

__Impacts in Scope__

(For Blockchain/DLTR and Smart Contracts Only) This program is considered to be governed by Primacy of Rules. For more information on what this means visit: [Best Practice - Primacy of Impact vs Primacy of Rules. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)

Impacts are based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/)

At Immunefi, we classify bugs on a simplified 5-level scale:
- Critical
- High
- Medium
- Low
- None

Reserve is DeFi’s leading platform for the permissionless creation and management of Decentralized Token Folios (DTFs). Through two distinct protocols — the Reserve Yield Protocol and the Reserve Index Protocol — Reserve enables anyone to deploy customizable, asset-backed tokens on Ethereum and Base.


Contract fails to deliver promised returns, but doesn't lose value

Theft of gas

Unbounded gas consumption, that does not cause a more severe bug

Theft of unclaimed yield

Permanent freezing of unclaimed yield

Protocol insolvency

Temporary freezing of RToken ERC20 functionality

Temporary freezing of funds

Griefing (e.g. no profit motive for an attacker, but damage to the users or the protocol)

Any governance voting result manipulation

Direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield

Permanent freezing of assets

Reserve Smart Contracts

Please review how rewards are distributed based on the [Immunefi Vulnerability Severity Classification System V2.2.](https://immunefi.com/immunefi-vulnerability-severity-classification-system-v2-2/) This is a simplified 5-level scale system with separate scales for Smart Contracts and Websites/Apps.

Rewards for critical smart contract bug reports will be further capped at 5% of direct funds at risk if the bug discovered is exploited. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused. However, there is a minimum reward of USD 100 000.

Rewards for high smart contract vulnerabilities are further capped at 5% of the funds at risk. In cases of repeatable attacks, only the first attack is considered unless the smart contract cannot be upgraded or paused.  However, there is a minimum reward of USD 10 000 for High smart contract bug reports.

| Impact     | Criteria for assessing economic damage     |
| ---------- | ---------- |
| Temporary freezing of RToken ERC20 functionality (% TVL frozen at time of submission)       | Temporary freezing time < 24hr: medium. 24hr < Temporary freezing time < *governance cycle + 1 day: high, 1%. *governance cycle + 1 day < Temporary freezing time:  high       |
| Temporary freezing of funds       | Temporary freezing time < 24hr: medium 1%. 24hr < Temporary freezing time < *governance cycle + 1 day8 days: high, 12%. *governance cycle + 1 day8 days < Temporary freezing time: 5% high       |

* governance cycle = the total time between when a proposal is made to when it can be executed. For eUSD, 1 governance cycle = 2 days (voting delay) + 3 days (voting period) + 3 days (execution delay) = 8 days

__Payouts and Payout Requirements__

Payouts are handled by the Reserve team directly and are denominated in USD. However, payouts are done in USDC and RSR. Reserve commits to honoring payouts according to the terms set out in this program at the time of report submission, and to treat this program as the agreement and source of truth concerning bug reports and responsible disclosures. 

For the purposes of determining report validity, this is a Primacy of Rules program. 

Learn more about report validity best practices here: [Best Practice - Primacy of Impact vs Primacy of Rules. ](https://immunefisupport.zendesk.com/hc/en-us/articles/12340245635089-Best-Practices-Primacy-of-Impact)

__KYC Requirements__

Reserve does have a Know Your Customer (KYC) requirement for bug bounty payouts. 

__KYC Info Required__
- Anyone who receives $600 or more from our company will need to either provide their US taxpayer information via a form W-9, or a W-8BEN declaring that they are not a US taxpayer subject to withholding.

KYC information is only required on confirmation of the validity of a bug report.  

__Audit Discoveries and Known Issues__

Bug reports covering previously-discovered bugs are not eligible for any reward through the bug bounty program. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report via Immunefi. 

Previous audits and known issues can be found at:

| Description of known issue     | Related Impact-in-Scope     |
| ---------- | ---------- |
| Asset.lotPrice() doesn't use the most recent price in case of oracle timeout ([https://github.com/code-423n4/2023-01-reserve-findings/issues/326](https://github.com/code-423n4/2023-01-reserve-findings/issues/326))       | Smart-Contract       |
| Unsafe cast of uint8 datatype to int8 ([https://github.com/code-423n4/2023-01-reserve-findings/issues/265](https://github.com/code-423n4/2023-01-reserve-findings/issues/265))       | Smart-Contract       |
| refresh() will revert on Oracle deprecation, effectively disabling part of the protocol ([https://github.com/code-423n4/2023-01-reserve-findings/issues/234](https://github.com/code-423n4/2023-01-reserve-findings/issues/234))       | Smart-Contract       |
| Shortfall might be calculated incorrectly if a price value for one collateral isn't fetched correctly ([https://github.com/code-423n4/2023-01-reserve-findings/issues/200](https://github.com/code-423n4/2023-01-reserve-findings/issues/200))       | Smart-Contract       |
| BasketHandler: Users might not be able to redeem their rToken when protocol is paused due to refreshBasket function ([https://github.com/code-423n4/2023-01-reserve-findings/issues/39](https://github.com/code-423n4/2023-01-reserve-findings/issues/39))       | Smart-Contract       |
| Attacker can cause loss to rToken holders and stakers by running BackingManager._manageTokens before rewards are claimed ([https://github.com/code-423n4/2023-02-reserve-mitigation-contest-findings/issues/22](https://github.com/code-423n4/2023-02-reserve-mitigation-contest-findings/issues/22))       | Smart-Contract       |
| StRSR: attacker can steal excess rsr that is returned after seizure ([https://github.com/code-423n4/2023-02-reserve-mitigation-contest-findings/issues/17](https://github.com/code-423n4/2023-02-reserve-mitigation-contest-findings/issues/17))       | Smart-Contract       |
| [All audit reports (Ackee, Halborn, Solidified, Trail of Bits) ](https://github.com/reserve-protocol/protocol/tree/master/audits)      | Smart-Contract       |

Reserve

Codebase