
Resonate
Resonate is the DeFi Yield futures protocol. Resonate splits apart the interest and principal components of a yield-bearing position. Those who hold tokens which may be deposited into yield-bearing systems can receive an instant, upfront payment on the present value of that future yield, in exchange for locking their tokens. An ideal solution for traders who want to receive guaranteed and consistent yield farming rewards for staking tokens or providing liquidity.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Theft of user funds in O(1) transactional complexity, including the theft of user funds from multiple pools within the same transaction
Permanent freezing of user funds
Theft of user funds in O(n) transactional complexity, including the theft of user funds from multiple pools requiring multiple transactions
Temporary freezing of user funds for periods greater than one hour with no escape-hatch available during that period
Price manipulation via oracle-based attacks that results in theft of value, excluding provider-based attacks such as Chainlink
Temporary freezing of user funds for periods less than one hour but spanning multiple blocks
Griefing and/or gas theft
Admin-based attacks that allow for theft of user-value
Price manipulation via oracle-based attacks that results in loss of value, excluding provider-based attacks such as Chainlink
Unintentional release of funds ahead of time
Smart contract fails to deliver promised returns without losing value
Price manipulation via oracle-based attacks that do not result in any loss of value, excluding provider-based attacks such as Chainlink
Out of scope
- Best practice critiques
- Curve reentrancy vulnerabilities, which are not a valid vector against our system.
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers