Summer.fi
Summer.fi aims to be the most trusted entry point to deploy your capital into Decentralized Finance. You can now use it to borrow (generate) Dai and to Multiply the exposure to your favorite collateral assets, doing leverage-like trading.
PoC required
Select the category you'd like to explore
Assets in Scope
Impacts in Scope
Any sort of loss of user funds, direct theft of any user funds, whether at-rest or in-motion, other than unclaimed yield
Permanent freezing of funds
Protocol insolvency
Causing any sort of economical damage to the smart contracts or the users (e.g. unbounded or unacceptable slippage)
Unauthorized access resulting in the loss of funds
Attacks leading to repeatable and unequivocal loss or permanent locking of user funds e.g: Direct theft of user, signing transactions for other users, redirection of user deposits and withdrawals, wallet interaction modification resulting in financial loss
Taking down the application/website permanently without the possibility of restoring it (Persistent)
Attacks leading to repeatable, unequivocal loss or permanent locking of user funds: tampering with transactions submitted to users wallet, submitting malicious transactions to connected wallet, submitting incorrect transactions due to the application error
Temporary freezing of funds for at least five blocks
Taking down the application/website temporarily with the possibility of restoring it
Ability to execute system commands
Extract Sensitive data/files from the server such as /etc/passwd
Out of scope
- Attacks requiring the exploitation of previously-discovered bugs. If a bug report covers a known issue, it may be rejected together with proof of the issue being known before escalation of the bug report
- Best practice critiques
Smart Contract specific
- Incorrect data supplied by third party oracles
- Not to exclude oracle manipulation/flash loan attacks
- Impacts requiring basic economic and governance attacks (e.g. 51% attack)
- Lack of liquidity impacts
- Impacts from Sybil attacks
- Impacts involving centralization risks
All categories
- Impacts requiring attacks that the reporter has already exploited themselves, leading to damage
- Impacts caused by attacks requiring access to leaked keys/credentials
- Impacts caused by attacks requiring access to privileged addresses (including, but not limited to: governance and strategist contracts) without additional modifications to the privileges attributed
- Impacts relying on attacks involving the depegging of an external stablecoin where the attacker does not directly cause the depegging due to a bug in code
- Mentions of secrets, access tokens, API keys, private keys, etc. in Github will be considered out of scope without proof that they are in-use in production
- Best practice recommendations
- Feature requests
- Impacts on test files and configuration files unless stated otherwise in the bug bounty program
- Impacts requiring phishing or other social engineering attacks against project's employees and/or customers
47.5k