Yearn Finance-logo

Yearn Finance

Yearn Finance is a suite of products in Decentralized Finance (DeFi) that provides lending aggregation and yield generation on the Ethereum blockchain. The protocol is maintained by various independent developers and is governed by YFI holders. Their products include:

Arbitrum
ETH
Fantom
Optimism
Blockchain
Defi
Lending
Yield Aggregator
Solidity
Maximum Bounty
$200,000
Live Since
01 July 2021
Last Updated
29 November 2024
  • PoC required

Codebase

Title
Yearn Finance Smart Contracts
Description
Program Smart Contracts
Link

Documentation

Title
Yearn Finance Documentation
Description
Program Documentation
Link
Go to Audits & Known Issues

Finding More Assets in Scope Yearn adds and removes Vaults and Strategies from Production on an ongoing basis. Yearn provides helper contracts (see table below) to list the actual contracts that are considered in scope for this bug bounty program.

The following functions can be called to obtain a list of smart contract addresses that are currently in Production and that are covered by the program:

NetworkContractsAddresses (NOT IN SCOPE)
EthereumStrategiesHelper AddressesGeneratorV2 Vaults0x5b4F3BE554a88Bd0f8d8769B9260be865ba03B4a 0x437758D475F70249e03EDa6bE23684aD1FC375F0
FantomStrategiesHelper AddressesGeneratorV2Vaults0x97D0bE2a72fc4Db90eD9Dbc2Ea7F03B4968f6938 0x8ca27a3ab8917a033f278D20135d2467faA099bA
OptimismStrategiesHelper AddressesGeneratorV2Vaults0xD3A93C794ee2798D8f7906493Cd3c2A835aa0074 0xD63aB09ac2048a7eCac92f0fFad5F104edD0E032
ArbitrumStrategiesHelper AddressesGeneratorV2Vaults0x66a1a27f4b22dcaa24e427dcffbf0cddd9d35e0f 0x3a8efa2d87d60c0289f19b44a0928f4269c0f094

Functions to list bounty program contracts: StrategiesHelper - assetsStrategiesAddresses()

AddressesGeneratorV2Vaults - assetsAddresses()

Other contracts, outside of the ones mentioned here, might be considered on a case by case basis, as long as economic damage can be achieved.

For more further information about in-scope contracts from yearn refer to the following doc https://github.com/yearn/yearn-security/blob/master/SECURITY.md. For information about vaults and strategiesplease refer to their GitHub repository - https://github.com/yearn/yearn-vaults. Additionally, you may refer to https://seafood.yearn.watch and https://yearn.watch/stats for more information about each smart contract.

Submission Requirements

In order to be considered for a reward, all bug reports must contain the following:

  • Description of suspected vulnerability
  • Steps to reproduce the issue
  • A valid POC showing the attack where the outcome has clear economic damage for any of the contracts listed in scope.
  • Your name and/or colleagues if you wish to be later recognized
  • (Optional) A patch and/or suggestions to resolve the vulnerability

Ethical Behavior Requirements

Responsible disclosure is predicated on ethical behavior. These guidelines outline best practices for the community as whole, whether you are reporting, or the recipient of a report. By stating that you adhere to this policy, you’re claiming to handle vulnerability information ethically, and abide by the following:

  • Do not attempt to leverage a vulnerability, or information of its existence, as part of a financial trading strategy or otherwise for financial gain.
  • Do not attempt to compromise systems upon which development of a product relies; including but not limited to compromising development systems, accounts, domains, email etc..
  • Do not attempt to sell vulnerability information or exploits.
  • Do not ask for any form of compensation from an affected party. You may compensate a disclosing party if you would like to after all known vulnerability details have been disclosed.
  • Do not disclose a bug or vulnerability on mailing lists, public boards, forums, social media or any other channel prior to Responsibly Disclosing to the organizations you have a published relationship with
  • Do not attempt any illegal acts, including phishing, physical attacks, DDoS, or any attempt to gain access without authorization

3rd Party Affected Projects

In the case where we become aware of security issues affecting other projects that has never affected Yearn, our intention is to inform those projects of security issues on a best effort basis.

In the case where we fix a security issue in Yearn that also affects the following neighboring projects, our intention is to engage in responsible disclosures with them as described in the adopted standard, subject to the deviations described in the deviations section below.

Deviations from the Standard

In the case of a counterfeiting or fund-stealing bug affecting Yearn, however, we might decide not to include those details with our reports to partners ahead of coordinated release, as long as we are sure that they are not vulnerable.